Re: Gui for configuring NTP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: "taharka" <res00vl8@xxxxxxxxxx>


Howdy,

On Fri, 2005-12-09 at 18:40 -0600, Nathaniel Hall wrote:
Scot L. Harris wrote: > On Fri, 2005-12-09 at 19:12, jdow wrote: > > > From: "Paul Smith" <phhs80@xxxxxxxxx> > > > > > > > > > > > Is your iptables open for NTP? 
> > > > > I have this:
> > > > > -A INPUT -s 66.187.233.4 -p udp -m udp --sport 123 --dport 123 -j ACCEPT
> > > > > -A INPUT -s 66.187.224.4 -p udp -m udp --sport 123 --dport 123 -j ACCEPT
> > > > > > > > > NOTE: that is only good if you have "clock1.redhat.com" as your clock 
> > server. Make it correct for the clock server you select. You may have to
> > make it a range of addresses.
> > > > > > Why would you need to open these ports to have your system update it's 
> time using NTP?  My systems seem to get NTP updates just fine sitting
> behind a firewall that does not have these ports opened.
> > > Then it isn't a firewall. Well, I guess it could be, but it is a very 
poor firewall.  I'll almost guarantee that the ports are open, you
just don't know it.

That simply isn't so. All my systems are sitting behind a hardware
firewall & I can guarantee that the ports are not open. The thing is,
the firewall will cheerfully pass a request to the outside from a client
system & return whatever is requested. Unless, some sort of rule is set
explicitly telling it not to do so. This is the way a firewall is
supposed to work.


<voice, Gildersleeve>Oh reeeeaaally!</voice>

I always set firewalls to drop packets unless told by some other rule
to do something with them. The old "ipfwd" did not do a good job with
regards to UDP "connections" such as "ntp" uses. So I generally had to
explicitly open the firewall holes needed to pass the external DNS
servers and NTP servers I used. The initial (more or less direct
translation) I used with iptables suffered the same problem. As I became more proficient with iptables and trimmed cruft (and used 
ip_connect_track) the UDP issue subsided.

BUT, I had to EXPLICITLY tell the firewall I wanted connections
tracked before a packet could make it through the firewall. The basic
rule is to simply drop incoming packets I do not ask for or are rogue
on the floor.

{^_^}
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux