NTP, ntpdate, and ISP-based firewall

Bevan C. Bennett bevan at fulcrummicro.com
Thu Mar 4 17:35:35 UTC 2004


Don Levey wrote:
> On Wed, 2004-03-03 at 18:56, Bevan C. Bennett wrote:
> 
>>Don Levey wrote:
>>
>>
>>>ntp.conf (some comments excised):
>>
>>(other comments excised)
>>
>>Well, let's start with your .conf file and see what we can do...
>>
>>
>>>restrict default ignore
>>>restrict 69.22.157.240 mask 255.255.255.255 nomodify notrap noquery
>>>restrict 127.0.0.1
>>>restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
>>>server 69.22.157.240
>>>server  ntp.ourconcord.net
>>>server  ntp-0.cso.uiuc.edu
>>>fudge   127.127.1.0 stratum 10
>>>driftfile /etc/ntp/drift
>>>broadcastdelay  0.008
>>>
>>>keys            /etc/ntp/keys
>>
>>This is all a little odd... you won't need the 192.168 line until you're 
>>ready to broadcast (which you aren't doing).
>>
>>Try the following:
>># /etc/ntp.conf test file
>>#
>># be paranoid by default
>>restrict default ignore
>># local clock of last resort
>>server  127.127.1.0
>>fudge   127.127.1.0 stratum 10
>>#
>>driftfile /etc/ntp/drift
>>#
>># allow loopback ntpq connections
>>restrict 127.0.0.0 mask 255.0.0.0 nomodify
>>#
>># servers servers servers
>>server 69.22.157.240
>>restrict 69.22.157.240 mask 255.255.255.255 nomodify notrap noquery
>>server ntp.ourconcord.net
>>restrict ntp.ourconcord.net mask 255.255.255.255 nomodify notrap noquery
>>server ntp-0.cso.uiuc.edu
>>restrict ntp-0.cso.uiuc.edu mask 255.255.255.255 nomodify notrap noquery
>>
>>Then try 'service ntpd restart' to start up ntpd, wait a minute or so, 
>>and use 'ntpq -np' to see what's going on.
>>
> 
> 
> Hmm... I tried your test conf file, here's what I got:
> [root at davinci etc]# ntpq -np
>      remote           refid      st t when poll reach   delay   offset 
> jitter
> ==============================================================================
>  127.127.1.0     127.127.1.0     10 l   44   64    1    0.000    0.000  
> 0.008
>  69.22.157.240   0.0.0.0         16 u    -   64    0    0.000    0.000
> 4000.00
> 
> Looks like I'm not getting out and back?

That's what 'reach=0' generally implies...
Even more odd, you aren't even trying the other two servers.
Any change if you replace them with their IPs? (216.204.156.2 and 
130.126.24.53) Is your DNS ok?

While that's running, try 'tcpdump host 69.22.157.240' to see what 
traffic's actually going by.

You should see pairs of packets something like this (this is from my ntp 
server):

09:33:19.579902 urd.ntp > tick.usnogps.navy.mil.ntp:  v4 client strat 0 
poll 6 prec -18 (DF) [tos 0x10]
09:33:19.620380 tick.usnogps.navy.mil.ntp > urd.ntp:  v4 server strat 1 
poll 6 prec -19 (DF) [tos 0x10]
09:34:24.581554 urd.ntp > tick.usnogps.navy.mil.ntp:  v4 client strat 0 
poll 6 prec -18 (DF) [tos 0x10]
09:34:24.621438 tick.usnogps.navy.mil.ntp > urd.ntp:  v4 server strat 1 
poll 6 prec -19 (DF) [tos 0x10]

If you don't see the reply, you're getting blocked somewhere outside. If 
you -do- see the reply, you're not getting blocked, but just aren't 
acknowledging the replys (possibly due to iptables).






More information about the users mailing list