On Mon, Nov 17, 2003 at 05:44:49PM +0000, Voytek wrote: > my ipchains has: > > -A input -s 0/0 -d 0/0 ntp -p tcp -y -j ACCEPT ^^^ *Sigh*. You've been told this several times already, by me and others. This should be *udp*:
http://lists.slug.org.au/archives/slug/2003/11/msg00335.html http://lists.slug.org.au/archives/slug/2003/11/msg00354.html http://lists.slug.org.au/archives/slug/2003/11/msg00350.html This is what my ntpd is doing: [EMAIL PROTECTED] ~]$ netstat -a|grep -w ntp udp 0 0 ppp125-148.lns1.syd:ntp *:* udp 0 0 dropbear.kirriwa.ne:ntp *:* udp 0 0 dropbear.kirriwa.ne:ntp *:* udp 0 0 *:ntp *:* Note that it's using udp port 123, not tcp. For ntpd, I'd limit incoming packets to the ip address(es) of your time server(s) and source and destination ports 123. For ntpdate, you'll need to allow source port 123 and destination ports 1024:65535, but still limit it to the address(es) of your time server(s). Make sure you're also allowing the relevant outgoing packets. These are anything to your time server's ip address(es) with destination port 123, and source port either 123 (for ntpd) or 1024:65535 (for ntpdate). > -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT [snip] > am I blocking it myself ? ? Yes. Cheers, John -- whois [EMAIL PROTECTED] GPG key id: 0xD59C360F http://kirriwa.net/john/ -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug