> do I can ask what traffic from pool is normal ? Well, personally, I just did a test capture of 1000 packets snooping for "port 123"; it took one minute 56 seconds and contains 539 packets sent to me and 461 packets sent by me. (The 78 packets I didn't respond to are addresses my automated defenses have decided are abusive and thus are blocked by my border router; I snooped just outside those blocks.)
> Here is error that i got from kernel: > net_ratelimit: 686 callbacks suppressed > nf_conntrack: table full, dropping packet. > nf_conntrack: table full, dropping packet. > nf_conntrack: table full, dropping packet. I don't recognize those messages, but they look to me as though you're doing some kind of stateful firewalling and it ran out of internal table space. You really don't want to do that for an NTP pool host if you can help it; running an NTP pool member uses a _lot_ of flows. If you can't help it, you probably need to push your firewall's state table size up substantially. (If you can't do that either, it may be you just don't have a network setup that's suitable for hosting a pool member.) > I did not use any firewall delays, only one postrouting rule to nat > my internal network. If you really must NAT your NTP pool host, you might try doing a passthrough rule for port 123, so it can run stateless. If you can't do that, about all I can suggest is to push up the size of your NAT's state table and hope. > I want to ask is that normal or Im attacked? On today's Internet, being attacked _is_ normal. However, my feeling is that the NTP traffic most pool hosts see, even the abusive traffic (like clients that query multiple times per second for long periods) is not an attack in the sense of being maliciously motivated; it's more incompetence or half-competence, whether applied to implementation or configuration I can't tell. (Admittedly, Clark's Law applies.) > I post this message to news group with my tcp/ip tunning and guys > there start discus my tunning not my problem so I remove them from > this email :) Well, from one perspective, your problem _is_ your tuning (I assume that's what "tunning" is inteded to mean). If you really do want to run an NTP pool host behind a stateful NAT, you do need to raise its state table limit substantially as compared to most applicaitons, and that would typically (and correctly, IMO) be considered tuning. (It is UDP/IP rather than TCP/IP, but many people (mis)use the latter to include the whole stack of IP-based protocols.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
