NTP, ntpdate, and ISP-based firewall
Bevan C. Bennett
bevan at fulcrummicro.com
Thu Mar 4 17:35:35 UTC 2004
Don Levey wrote:
> On Wed, 2004-03-03 at 18:56, Bevan C. Bennett wrote:
>
>>Don Levey wrote:
>>
>>
>>>ntp.conf (some comments excised):
>>
>>(other comments excised)
>>
>>Well, let's start with your .conf file and see what we can do...
>>
>>
>>>restrict default ignore
>>>restrict 69.22.157.240 mask 255.255.255.255 nomodify notrap noquery
>>>restrict 127.0.0.1
>>>restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
>>>server 69.22.157.240
>>>server ntp.ourconcord.net
>>>server ntp-0.cso.uiuc.edu
>>>fudge 127.127.1.0 stratum 10
>>>driftfile /etc/ntp/drift
>>>broadcastdelay 0.008
>>>
>>>keys /etc/ntp/keys
>>
>>This is all a little odd... you won't need the 192.168 line until you're
>>ready to broadcast (which you aren't doing).
>>
>>Try the following:
>># /etc/ntp.conf test file
>>#
>># be paranoid by default
>>restrict default ignore
>># local clock of last resort
>>server 127.127.1.0
>>fudge 127.127.1.0 stratum 10
>>#
>>driftfile /etc/ntp/drift
>>#
>># allow loopback ntpq connections
>>restrict 127.0.0.0 mask 255.0.0.0 nomodify
>>#
>># servers servers servers
>>server 69.22.157.240
>>restrict 69.22.157.240 mask 255.255.255.255 nomodify notrap noquery
>>server ntp.ourconcord.net
>>restrict ntp.ourconcord.net mask 255.255.255.255 nomodify notrap noquery
>>server ntp-0.cso.uiuc.edu
>>restrict ntp-0.cso.uiuc.edu mask 255.255.255.255 nomodify notrap noquery
>>
>>Then try 'service ntpd restart' to start up ntpd, wait a minute or so,
>>and use 'ntpq -np' to see what's going on.
>>
>
>
> Hmm... I tried your test conf file, here's what I got:
> [root at davinci etc]# ntpq -np
> remote refid st t when poll reach delay offset
> jitter
> ==============================================================================
> 127.127.1.0 127.127.1.0 10 l 44 64 1 0.000 0.000
> 0.008
> 69.22.157.240 0.0.0.0 16 u - 64 0 0.000 0.000
> 4000.00
>
> Looks like I'm not getting out and back?
That's what 'reach=0' generally implies...
Even more odd, you aren't even trying the other two servers.
Any change if you replace them with their IPs? (216.204.156.2 and
130.126.24.53) Is your DNS ok?
While that's running, try 'tcpdump host 69.22.157.240' to see what
traffic's actually going by.
You should see pairs of packets something like this (this is from my ntp
server):
09:33:19.579902 urd.ntp > tick.usnogps.navy.mil.ntp: v4 client strat 0
poll 6 prec -18 (DF) [tos 0x10]
09:33:19.620380 tick.usnogps.navy.mil.ntp > urd.ntp: v4 server strat 1
poll 6 prec -19 (DF) [tos 0x10]
09:34:24.581554 urd.ntp > tick.usnogps.navy.mil.ntp: v4 client strat 0
poll 6 prec -18 (DF) [tos 0x10]
09:34:24.621438 tick.usnogps.navy.mil.ntp > urd.ntp: v4 server strat 1
poll 6 prec -19 (DF) [tos 0x10]
If you don't see the reply, you're getting blocked somewhere outside. If
you -do- see the reply, you're not getting blocked, but just aren't
acknowledging the replys (possibly due to iptables).
More information about the users
mailing list