Re: ntpd on a NAT gateway seems to do nothing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Andrew Reilly wrote: On Wed, Jul 25, 2007 at 05:24:25AM +1000, Peter Jeremy wrote: On 2007-Jul-24 16:00:08 +0100, Pete French [EMAIL PROTECTED] wrote: Yes it does. The major difference is that ntpd will use a source port of 123 whilst ntpdate will use a dynamic source port. Is that behaviour that can be defeated? If it uses a fixed source port, then multiple ntpd clients behind a nat firewall will be competing for the same ip quadtuple at the NAT box. (Or does ipnat or pf have the ability to fake different source addresses?) NAT gateways will remap the source port number as necessary to disambiguate the different hosts. Although NTP defaults to using port 123 on both the source and destination ends, it only *has* to use port 123 on the destination (server) end. The admin can override that behaviour by using 'restrict addr ntpport' in ntp.conf if required. NTP queries performed via user programs like ntpq(8) and ntpdc(8) always use an arbitrary high numbered source port. There's a similar configuration trick used with the DNS, except in that case, it works in the opposite sense: DNS queries will use an arbitrary high numbered source port by default, but you can configure named to force use of port 53 as the source port. Obviously this only applies to the server-to-server queries performed by recursive DNS servers -- as far as I know, there's no way to force the local resolver library on a particular machine to use a specific source port. In any case, the justification for forcing UDP packets to use a specific source port disappears when you use a modern stateful firewall like any of the three (pf, ipfw, ipf) supplied with FreeBSD. (I've had what I think is this problem with a VPN setup, where only one client behind the NAT firewall could run the VPN client at a time, because the VPN protocol used a fixed port and UDP. Maybe my NAT rules need more sophistication? I don't pay all that much attention to it...) Indeed. For instance, in the case of IPSec there is a special high-numbered port reserved for use exchanging keys when transiting NAT gateways. See http://www.ietf.org/rfc/rfc3947.txt for the gory details. Note that other VPN packages such as OpenVPN work in a different way and shouldn't hit this particular hurdle, or at least, not in the same way. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGpvw38Mjk52CukIwRCEwOAKCA7xelVOzskL4BXyFiplIwwJTJPgCfVWb5 l6Kfk7Sx1glV44FBBL8oqkU= =GeJ8 -END PGP SIGNATURE- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ntpd on a NAT gateway seems to do nothing
Andrew Reilly wrote: Peter Jeremy wrote: The major difference is that ntpd will use a source port of 123 whilst ntpdate will use a dynamic source port. Is that behaviour that can be defeated? If it uses a fixed source port, then multiple ntpd clients behind a nat firewall will be competing for the same ip quadtuple at the NAT box. Usually the clients behind the NAT gateway use the ntpd running on the gateway itself, not any servers beyond. So NTP queries never have to be forwarded across the gateway, so they're not subject to NAT translation at all. The gateway rather acts as server and client at the same time. Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd Passwords are like underwear. You don't share them, you don't hang them on your monitor or under your keyboard, you don't email them, or put them on a web site, and you must change them very often. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ntpd on a NAT gateway seems to do nothing
On 2007-Jul-25 10:30:25 +1000, Andrew Reilly [EMAIL PROTECTED] wrote: On Wed, Jul 25, 2007 at 05:24:25AM +1000, Peter Jeremy wrote: On 2007-Jul-24 16:00:08 +0100, Pete French [EMAIL PROTECTED] wrote: Yes it does. The major difference is that ntpd will use a source port of 123 whilst ntpdate will use a dynamic source port. Is that behaviour that can be defeated? I don't believe so. If it uses a fixed source port, then multiple ntpd clients behind a nat firewall will be competing for the same ip quadtuple at the NAT box. You might be better off running ntpd on the firewall and having the inside hosts sync to it. (Or does ipnat or pf have the ability to fake different source addresses?) All NAT tools I've seen have the ability to either use multiple external addresses or re-write the source port to avoid clashes. Note that, by default, ntpd doesn't care about the source port of incoming packets (this can be controlled with the 'ntpport' option to 'restrict'). (I've had what I think is this problem with a VPN setup, where only one client behind the NAT firewall could run the VPN client at a time, because the VPN protocol used a fixed port and UDP. Maybe my NAT rules need more sophistication? I don't pay all that much attention to it...) I suspect that either your NAT rules need to allow source port re-writing or the VPN protocol is fussier about having the source port. -- Peter Jeremy pgp317m8M4Z7o.pgp Description: PGP signature
Re: ntpd on a NAT gateway seems to do nothing
You might be better off running ntpd on the firewall and having the inside hosts sync to it. That would be nice - except my problem is that the firewal is the only one on which ntp *doest* run! :-) Thanks for all the other suggestions - will take a look a them later today and see if I can track this down. -pete. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ntpd on a NAT gateway seems to do nothing
On Monday 23 July 2007 20:22:22 Pete French wrote: It's deja-vu all over again. I found my works NTP service was broken on Friday, just after I started my holiday. Interesting to hear from someone also using NAt with a very similar problem. Thanks, I am running -STABLE rather than RELENG, but I suspect I will simply try updating to a later STABLE tomorrow and see if that helps. I'm using IPFW and ipnat, which I believe is somewhat unusual. Ipnat is there to 'fix' the source IP. Don't ask! :-) once you start playing with NAT things can get odd quite fast I have : found! : Anyway; I just did a cleandir x2, rebuild and update to p6, and it's working again. Might be worth a try. I'll try tomorrow, thanks, -pete. Well it could just as easily be the associated reboot, but one hesitates to suggest that on a *nix list :) -- ian j hart ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ntpd on a NAT gateway seems to do nothing
Well it could just as easily be the associated reboot, but one hesitates to suggest that on a *nix list :) Well, I updated to this mornings -STABLE and I still get the same effect. Somewhat puzzled, and I not sure where to go from here - especially as making the queries with 'ntpdate' works fine. -pcf. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ntpd on a NAT gateway seems to do nothing
Pete French wrote: [...] Any suggestions ? I assume it has something to do with the NAT, but I am not sure what. All other TCP connections out from that machine to external systems work fine, so it is not as if outbound connections from there are not working at all. Note that NTP does not use TCP, but UDP. Are you sure that your filter rules are OK? It's certainly possible to have a bug in the rule set so it forwards NTP replies for the internal clients, but doesn't allow them to reach the ntpd running on the machine itself. Another question: Do you have a dynamically assigned IP address? In that case ntpd needs to be restarted when a new address is assigned, because ntpd has the unfortunate habit to bind to all addresses that exist at the time it is started. I'm running ntpd on a NAT gateway myself (RELENG_6), and there are no problems at all. Best regards Oliver -- Oliver Fromme, secnetix GmbH Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ntpd on a NAT gateway seems to do nothing
Note that NTP does not use TCP, but UDP. Are you sure that your filter rules are OK? It's certainly possible to have a bug in the rule set so it forwards NTP replies for the internal clients, but doesn't allow them to reach the ntpd running on the machine itself. Yes, I discovered the UDPness of it last night and went through the rules again. I am pretty sure they are correct (or at least I cannot see anything wrong). I would assume that ntpdate also uses UDP - and using that I can see all these servers ? Another question: Do you have a dynamically assigned IP address? In that case ntpd needs to be restarted when a new address is assigned, because ntpd has the unfortunate habit to bind to all addresses that exist at the time it is started. No, everything is static. It has to be some error in my PF config file somewhere I guess, just hard to work out where. I'm running ntpd on a NAT gateway myself (RELENG_6), and there are no problems at all. yes, I too am doing this on a machine elsewhere, which is why this is so frustrating! I know it works, I even have it working on a different network, and it particlaly works here too (it can see one NTP machine on the far side NAT, just none further away). I will continue looking Thanks, -pcf. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ntpd on a NAT gateway seems to do nothing
Hi, all! On Tue, Jul 24, 2007 at 04:00:08PM +0100, Pete French wrote: Yes, I discovered the UDPness of it last night and went through the rules again. I am pretty sure they are correct (or at least I cannot see anything wrong). I would assume that ntpdate also uses UDP - and using that I can see all these servers ? I would try and run # tcpdump -n -i NAT interface host NTP server in a separate window and compare the output when running ntpdate vs. starting ntpd. HTH, Patrick M. Hausen Leiter Netzwerke und Sicherheit -- punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 [EMAIL PROTECTED] http://www.punkt.de Gf: Jürgen Egeling AG Mannheim 108285 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ntpd on a NAT gateway seems to do nothing
On 2007-Jul-24 16:00:08 +0100, Pete French [EMAIL PROTECTED] wrote: at least I cannot see anything wrong). I would assume that ntpdate also uses UDP - and using that I can see all these servers ? Yes it does. The major difference is that ntpd will use a source port of 123 whilst ntpdate will use a dynamic source port. Is it possible that your NAT rules are interfering with ntpd using port 123? Can you check that ntpd is binding to port 123 (using lsof or netstat+fstat). As well as tcpdump'ing the NTP traffic, you might like to ktrace ntpd and verify that incoming packets are actually arriving there. If your NAT box is not busy, you might be able to enable logging on som relevant rules and see what your firewall is actually doing with the packets. -- Peter Jeremy pgpWL1Q4KzH8e.pgp Description: PGP signature
Re: ntpd on a NAT gateway seems to do nothing
On Wed, Jul 25, 2007 at 05:24:25AM +1000, Peter Jeremy wrote: On 2007-Jul-24 16:00:08 +0100, Pete French [EMAIL PROTECTED] wrote: Yes it does. The major difference is that ntpd will use a source port of 123 whilst ntpdate will use a dynamic source port. Is that behaviour that can be defeated? If it uses a fixed source port, then multiple ntpd clients behind a nat firewall will be competing for the same ip quadtuple at the NAT box. (Or does ipnat or pf have the ability to fake different source addresses?) (I've had what I think is this problem with a VPN setup, where only one client behind the NAT firewall could run the VPN client at a time, because the VPN protocol used a fixed port and UDP. Maybe my NAT rules need more sophistication? I don't pay all that much attention to it...) Cheers, -- Andrew ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
ntpd on a NAT gateway seems to do nothing
Just following the similarly names thread with a bit of interest and I decided to check my own ntp setup and, to my surprise, discovered I also have a machine which does nothing. What is more surprising to me is that it has the same config as a number of other machines, all of which work. We have a segment of network which is behind a NAT, and there is a BSD box running 'pf' actiing as the NAT gateway. Running ntpd on the actual NAT box does not work, but running it on the clients the far side of the NAT does, or on clients the live side of the NAT. I should probably exolain that the NAT goes onto another network which is also natted, though that NAT is out of my control. The ntp.conf file looks like this on all machines: disable auth enable ntp driftfile /etc/ntp.drift server 10.17.19.0 server 195.40.0.250 server 158.43.128.33 server 158.43.128.66 server 158.43.192.66 The time servers there are for easynet, pipex and an internal machine at a remote location. ntpdate on the machine can query all the hosts fine, but ntpdc -p gives: remote local st poll reach delay offsetdisp === =valliere.ns.eas 172.16.1.8 16 640 0.0 0.00 0.0 =turpentine.ratt 172.16.1.8 3 1287 0.01451 -0.007633 1.93823 =ntp2.pipex.net 172.16.1.8 16 640 0.0 0.00 0.0 =ntp0.pipex.net 172.16.1.8 16 640 0.0 0.00 0.0 =ntp1.pipex.net 172.16.1.8 16 640 0.0 0.00 0.0 As you can see, it can only reach the internal machine. On other machines behind the NAT it looks like this: remote local st poll reach delay offsetdisp === =valliere.ns.eas 10.50.50.2 2 256 377 0.00577 -0.004396 0.01192 =turpentine.ratt 10.50.50.2 3 256 377 0.01534 -0.004566 0.00482 *ntp2.pipex.net 10.50.50.2 2 256 377 0.00635 -0.004052 0.00899 =ntp0.pipex.net 10.50.50.2 2 256 377 0.00729 -0.002443 0.01395 =ntp1.pipex.net 10.50.50.2 2 256 377 0.00768 -0.002426 0.00951 But those connections are flowing through the NAT box oon which ntpd is not connecting! Any suggestions ? I assume it has something to do with the NAT, but I am not sure what. All other TCP connections out from that machine to external systems work fine, so it is not as if outbound connections from there are not working at all. -pcf. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ntpd on a NAT gateway seems to do nothing
On Monday 23 July 2007 13:50:09 Pete French wrote: Just following the similarly names thread with a bit of interest and I decided to check my own ntp setup and, to my surprise, discovered I also have a machine which does nothing. What is more surprising to me is that it has the same config as a number of other machines, all of which work. We have a segment of network which is behind a NAT, and there is a BSD box running 'pf' actiing as the NAT gateway. Running ntpd on the actual NAT box does not work, but running it on the clients the far side of the NAT does, or on clients the live side of the NAT. I should probably exolain that the NAT goes onto another network which is also natted, though that NAT is out of my control. The ntp.conf file looks like this on all machines: disable auth enable ntp driftfile /etc/ntp.drift server 10.17.19.0 server 195.40.0.250 server 158.43.128.33 server 158.43.128.66 server 158.43.192.66 The time servers there are for easynet, pipex and an internal machine at a remote location. ntpdate on the machine can query all the hosts fine, but ntpdc -p gives: remote local st poll reach delay offsetdisp === =valliere.ns.eas 172.16.1.8 16 640 0.0 0.00 0.0 =turpentine.ratt 172.16.1.8 3 1287 0.01451 -0.007633 1.93823 =ntp2.pipex.net 172.16.1.8 16 640 0.0 0.00 0.0 =ntp0.pipex.net 172.16.1.8 16 640 0.0 0.00 0.0 =ntp1.pipex.net 172.16.1.8 16 640 0.0 0.00 0.0 As you can see, it can only reach the internal machine. On other machines behind the NAT it looks like this: remote local st poll reach delay offsetdisp === =valliere.ns.eas 10.50.50.2 2 256 377 0.00577 -0.004396 0.01192 =turpentine.ratt 10.50.50.2 3 256 377 0.01534 -0.004566 0.00482 *ntp2.pipex.net 10.50.50.2 2 256 377 0.00635 -0.004052 0.00899 =ntp0.pipex.net 10.50.50.2 2 256 377 0.00729 -0.002443 0.01395 =ntp1.pipex.net 10.50.50.2 2 256 377 0.00768 -0.002426 0.00951 But those connections are flowing through the NAT box oon which ntpd is not connecting! Any suggestions ? I assume it has something to do with the NAT, but I am not sure what. All other TCP connections out from that machine to external systems work fine, so it is not as if outbound connections from there are not working at all. -pcf. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED] It's deja-vu all over again. I found my works NTP service was broken on Friday, just after I started my holiday. Packets were going out but nothing was coming back. I'm using IPFW and ipnat, which I believe is somewhat unusual. Ipnat is there to 'fix' the source IP. Don't ask! Checking the logs it appears that this broke after I updated from 6.2-RELEASE-p1 to 6.2-RELEASE-p5. I found this in messages. May 30 17:25:31 firewall ntpd[825]: ntpd 4.2.0-a Tue May 29 20:59:19 BST 2007 (1) May 30 17:27:31 firewall ntpd[825]: too many recvbufs allocated (40) ntpq -p would report No Association ID's (from memory) Anyway; I just did a cleandir x2, rebuild and update to p6, and it's working again. Might be worth a try. -- ian j hart ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ntpd on a NAT gateway seems to do nothing
It's deja-vu all over again. I found my works NTP service was broken on Friday, just after I started my holiday. Interesting to hear from someone also using NAt with a very similar problem. Thanks, I am running -STABLE rather than RELENG, but I suspect I will simply try updating to a later STABLE tomorrow and see if that helps. I'm using IPFW and ipnat, which I believe is somewhat unusual. Ipnat is there to 'fix' the source IP. Don't ask! :-) once you start playing with NAT things can get odd quite fast I have found! Anyway; I just did a cleandir x2, rebuild and update to p6, and it's working again. Might be worth a try. I'll try tomorrow, thanks, -pete. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
