Re: NTP, ntpdate, and ISP-based firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Don Levey wrote:
On Wed, 2004-03-03 at 18:56, Bevan C. Bennett wrote:

Don Levey wrote:


ntp.conf (some comments excised):

(other comments excised)

Well, let's start with your .conf file and see what we can do...


restrict default ignore
restrict 69.22.157.240 mask 255.255.255.255 nomodify notrap noquery
restrict 127.0.0.1
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
server 69.22.157.240
server  ntp.ourconcord.net
server  ntp-0.cso.uiuc.edu
fudge   127.127.1.0 stratum 10
driftfile /etc/ntp/drift
broadcastdelay  0.008

keys /etc/ntp/keys

This is all a little odd... you won't need the 192.168 line until you're ready to broadcast (which you aren't doing).


Try the following:
# /etc/ntp.conf test file
#
# be paranoid by default
restrict default ignore
# local clock of last resort
server  127.127.1.0
fudge   127.127.1.0 stratum 10
#
driftfile /etc/ntp/drift
#
# allow loopback ntpq connections
restrict 127.0.0.0 mask 255.0.0.0 nomodify
#
# servers servers servers
server 69.22.157.240
restrict 69.22.157.240 mask 255.255.255.255 nomodify notrap noquery
server ntp.ourconcord.net
restrict ntp.ourconcord.net mask 255.255.255.255 nomodify notrap noquery
server ntp-0.cso.uiuc.edu
restrict ntp-0.cso.uiuc.edu mask 255.255.255.255 nomodify notrap noquery

Then try 'service ntpd restart' to start up ntpd, wait a minute or so, and use 'ntpq -np' to see what's going on.



Hmm... I tried your test conf file, here's what I got:
[root@davinci etc]# ntpq -np
remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.0 127.127.1.0 10 l 44 64 1 0.000 0.000 0.008
69.22.157.240 0.0.0.0 16 u - 64 0 0.000 0.000
4000.00


Looks like I'm not getting out and back?

That's what 'reach=0' generally implies...
Even more odd, you aren't even trying the other two servers.
Any change if you replace them with their IPs? (216.204.156.2 and 130.126.24.53) Is your DNS ok?


While that's running, try 'tcpdump host 69.22.157.240' to see what traffic's actually going by.

You should see pairs of packets something like this (this is from my ntp server):

09:33:19.579902 urd.ntp > tick.usnogps.navy.mil.ntp: v4 client strat 0 poll 6 prec -18 (DF) [tos 0x10]
09:33:19.620380 tick.usnogps.navy.mil.ntp > urd.ntp: v4 server strat 1 poll 6 prec -19 (DF) [tos 0x10]
09:34:24.581554 urd.ntp > tick.usnogps.navy.mil.ntp: v4 client strat 0 poll 6 prec -18 (DF) [tos 0x10]
09:34:24.621438 tick.usnogps.navy.mil.ntp > urd.ntp: v4 server strat 1 poll 6 prec -19 (DF) [tos 0x10]


If you don't see the reply, you're getting blocked somewhere outside. If you -do- see the reply, you're not getting blocked, but just aren't acknowledging the replys (possibly due to iptables).





[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux