On Mar 15, 2007, at 9:23 PM, Jeffrey Goldberg wrote: > My firewall logs are filled with message like > > ipmon[85]: 18:52:39.107683 sis1 @0:18 b 196.28.87.75 -> > 72.64.118.118 PR icmp len 20 56 icmp unreach/port > for 72.64.118.118,123 - 196.28.87.75,123 > PR udp len 20 76 IN > > 72.64.118.118 is my pool server. > > I am accepting udp packets for destination port 123 and everything > seems to be working correctly, but I don't understand what these ICMP > packets are about. No doubt this reflects my substantial ignorance > of IP, but I would like to know whether I should/need to allow ICMP > through as well as udp 123 for NTP to work properly.
You need to let at least some ICMP types through for IP networking to operate properly. What is probably happening is that someone requests time, and then firewalls off the reply from your NTP server, generating an ICMP error which you see above. You can try doing a WHOIS or DNS PTR lookup on the IP address and hope that there is a clueful human on the other end to fix their misconfiguration. If the rate of ntp requests or ICMP responses is excessive (ie, polling faster than once a minute, IMHO), add a "restrict 196.28.87.75 ignore" or kod line to hopefully reduce the wasted traffic. -- -Chuck PS: With regard to ICMP filtering, most people would want to pass/ allow at least ICMP types 0,3,4,8,11,12. This permits things like PMTUd and pings to work. _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
