On Sat, Apr 16, 2016, at 04:42 PM, Tom Eastep wrote:
> > Poking around a bit,
>
> What is the rule just before your NTP rule?
Okay, I understand what OPTIMIZE may have been doing - removing redundant
rules. I'll get back to that in a bit.
Without it, I'm still working on getting NTP server sync working.
On my Firewall, I have early in my 'rules' what I thought to be an
as-open-as-possible port 123 setup
NTP(ACCEPT):info:[NTP1] $FW any
NTP(ACCEPT):info:[NTP2] any $FW
ACCEPT:info:[NTP3] $FW any tcp,udp - 123
ACCEPT:info:[NTP4] any $FW tcp,udp 123
When I exec
sudo ntpdate pool.ntp.org
it returns
16 Apr 19:54:20 ntpdate[25006]: no server suitable for synchronization
found
and I get in my FW log
Apr 16 19:54:18 mail01 kernel: [ 7295.785283] SW:[NTP1]:ACCEPT IN=
OUT=eth0 SRC=192.0.2.17 DST=64.62.190.177 LEN=76 TOS=0x00 PREC=0x00 TTL=64
ID=44018 DF PROTO=UDP SPT=123 DPT=123 LEN=56
but if I use an unprivileged source port
sudo ntpdate -u pool.ntp.org
it works,
16 Apr 20:08:18 ntpdate[27027]: adjust time server 5.200.6.34 offset
0.018766 sec
and I get in my FW log
Apr 16 20:12:08 core kernel: [ 8365.374832] SW:[P4][NTP1]:ACCEPT IN=
OUT=eth0 SRC=192.0.2.17 DST=64.62.190.177 LEN=76 TOS=0x00 PREC=0x00 TTL=64
ID=29364 DF PROTO=UDP SPT=47780 DPT=123 LEN=56
I don't see any DROPs or REJECTs. That^ is it.
What else do I need to open here?
Jason
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
