On 11-Jan-00 at 22:55:54 Todd A. Jacobs wrote:
>> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
>> -s $ANYWHERE $UNPRIVPORTS \
>> -d $IPADDR 123 -j ACCEPT
>
> Why are you specifying the remote port? Don't do that. You have no idea
> what source port is going to be assigned here, so don't set up rules for
> it.
>
I disagree. We specify the ntp port (123) for sender and receiver and logging
the packets shows that this is the port being used.
For the original sender with the ntp problem I can only suggest 2 things: one
is to use the '-l' option with the ipchains commands to log (to
/var/messages) the packets being sent/received. Simplest I found is to stop
the ntpd deamon, then issue '/usr/sbin/ntpdate ntpserver' (use whatever
ntpserver you use). This will try and set the date. Secondly, if you are
using dns names then you have the dns packet filtering done before the ntp
(I got caught by this one!). As a final measure (if you can), log all the
packets (ipchains -l -A input) for a while and then see what the ntp server
has been sending.
Ah! Having said all that I would suggest:
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $ANYWHERE ntp -d $IPADDR ntp -j ACCEPT
(Personally we don't use $ANYWHERE (or 0/0) but specify the time servers.)
John.
--------------------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED]
Finger for PGP key: [EMAIL PROTECTED]
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
