NTP synchronized: no

Shaheen Bakhtiar shashaness at hotmail.com
Wed Sep 9 23:01:12 UTC 2015 

> On Sep 9, 2015, at 3:47 PM, John Pilkington <J.Pilk at tesco.net> wrote:
> 
> On 09/09/15 23:43, Ed Greshko wrote:
>> On 09/10/15 06:18, John Pilkington wrote:
>>> ... and (on my SL7 box) # tcpdump port 123
>>> shows the outgoing probe and the response, for calculation of the transit time:
>>> 
>>> 23:01:55.706587 IP HP_Box.home.ntp > vpn.webersheim.de.ntp: NTPv3, Client, length 48
>>> 23:01:55.741872 IP vpn.webersheim.de.ntp > HP_Box.home.ntp: NTPv3, Server, length 48
>>> 23:09:18.187249 IP HP_Box.home.ntp > 213.145.129.29.ntp: NTPv3, Client, length 48
>>> 23:09:18.323093 IP 213.145.129.29.ntp > HP_Box.home.ntp: NTPv3, Server, length 48
>>> 23:12:00.892883 IP HP_Box.home.ntp > srv02.privatcloud.dk.ntp: NTPv3, Client, length 48
>>> 23:12:00.912962 IP srv02.privatcloud.dk.ntp > HP_Box.home.ntp: NTPv3, Server, length 48
>> 
>> Nice to know....  Yet you really should consider trimming.  Otherwise you'll start to prove top-posters right.  :-) :-)
>> 
> Yes: I wanted to show the contrast with the non-working log above, but should have trimmed the rest.
> 

Top posting is the only way to go :P But that’s for a late night drunken argument on IRC :P

For now I can validate that yes, indeed simply opening port 123 on the firewall was not enough (in fact, it’s not needed at all, i’ve subsequently removed it from iptables, and will do so from the ACL when I get back to the office). It looks like there has to be a stateful inspection of the packet going out, so that the NTP pool can respond to the client back on the same port, through the firewall. This most likely works for home and small business users as their routers are stateful. But it has to be setup for corporate routers, in my case with the commands I mentioned (and re-attached to the bottom of this email :) 

You can clearly see that the NTP pool is sending back a packet from port 123 (ntp) back to the same un-privileged port it received the packet from.

The only reason to open port 123 inbound would be to act as a ntp server to other clients.

[root at www tripwire]# systemctl restart chronyd
[root at www tripwire]# tcpdump port 123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp14s0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:49:11.146312 IP 66-96-98-9.ccup.irmt.uplogon.net.ntp > www.inksystemsinc.com.50032: NTPv4, Server, length 48
15:49:11.282909 IP www.inksystemsinc.com.33805 > palpatine.steven-mcdonald.id.au.ntp: NTPv4, Client, length 48
15:49:11.295301 IP palpatine.steven-mcdonald.id.au.ntp > www.inksystemsinc.com.33805: NTPv4, Server, length 48
15:49:12.154596 IP www.inksystemsinc.com.37921 > cheri.shyou.org.ntp: NTPv4, Client, length 48
15:49:12.199266 IP cheri.shyou.org.ntp > www.inksystemsinc.com.37921: NTPv4, Server, length 48
15:49:12.355839 IP www.inksystemsinc.com.36254 > 23.99.222.162.ntp: NTPv4, Client, length 48
15:49:12.405257 IP 23.99.222.162.ntp > www.inksystemsinc.com.36254: NTPv3, Server, length 48
15:49:13.165008 IP www.inksystemsinc.com.45016 > 66-96-98-9.ccup.irmt.uplogon.net.ntp: NTPv4, Client, length 48
15:49:13.233225 IP 66-96-98-9.ccup.irmt.uplogon.net.ntp > www.inksystemsinc.com.45016: NTPv4, Server, length 48
15:49:13.366453 IP www.inksystemsinc.com.37220 > palpatine.steven-mcdonald.id.au.ntp: NTPv4, Client, length 48
15:49:13.378228 IP palpatine.steven-mcdonald.id.au.ntp > www.inksystemsinc.com.37220: NTPv4, Server, length 48
15:49:14.204110 IP www.inksystemsinc.com.44675 > cheri.shyou.org.ntp: NTPv4, Client, length 48
15:49:14.249188 IP cheri.shyou.org.ntp > www.inksystemsinc.com.44675: NTPv4, Server, length 48
15:49:14.432249 IP www.inksystemsinc.com.54356 > 23.99.222.162.ntp: NTPv4, Client, length 48
15:49:14.481175 IP 23.99.222.162.ntp > www.inksystemsinc.com.54356: NTPv3, Server, length 48
15:49:15.241817 IP www.inksystemsinc.com.50570 > 66-96-98-9.ccup.irmt.uplogon.net.ntp: NTPv4, Client, length 48
15:49:15.310147 IP 66-96-98-9.ccup.irmt.uplogon.net.ntp > www.inksystemsinc.com.50570: NTPv4, Server, length 48
15:49:15.445005 IP www.inksystemsinc.com.50433 > palpatine.steven-mcdonald.id.au.ntp: NTPv4, Client, length 48
15:49:15.457139 IP palpatine.steven-mcdonald.id.au.ntp > www.inksystemsinc.com.50433: NTPv4, Server, length 48
15:49:16.285339 IP www.inksystemsinc.com.60738 > cheri.shyou.org.ntp: NTPv4, Client, length 48
15:49:16.330519 IP cheri.shyou.org.ntp > www.inksystemsinc.com.60738: NTPv4, Server, length 48
15:49:16.489066 IP www.inksystemsinc.com.38469 > 23.99.222.162.ntp: NTPv4, Client, length 48
15:49:16.537935 IP 23.99.222.162.ntp > www.inksystemsinc.com.38469: NTPv3, Server, length 48
15:49:17.348502 IP www.inksystemsinc.com.51116 > 66-96-98-9.ccup.irmt.uplogon.net.ntp: NTPv4, Client, length 48
15:49:17.418904 IP 66-96-98-9.ccup.irmt.uplogon.net.ntp > www.inksystemsinc.com.51116: NTPv4, Server, length 48
15:49:17.549840 IP www.inksystemsinc.com.59677 > palpatine.steven-mcdonald.id.au.ntp: NTPv4, Client, length 48
15:49:17.561896 IP palpatine.steven-mcdonald.id.au.ntp > www.inksystemsinc.com.59677: NTPv4, Server, length 48

ROUTER CONFIG:

ISIR02#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
ISIR02(config)#ip inspect name ge01_out_fw udp
ISIR02(config)#interface gigabitEthernet 0/1.50
ISIR02(config-subif)#ip inspect ge01_out_fw out
ISIR02(config-subif)#exit
ISIR02(config)#exit
ISIR02#write mem

> -- 
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org

More information about the users mailing list