NTP doesn't work behind IPF firewall?

Ed Budd ebudd at grokking.org
Thu Jan 22 11:03:50 PST 2004 

On Thu, 22 Jan 2004 02:21:56 -0700
"Edward Aronyk" <earonyk at 360i.ca> wrote:

> Good day all,
> 
> I'm attempting to setup NTP on two FreeBSD servers. To maximize
> security, I have configured NTP to only synchronize itself from a few
> other servers, and not offer NTP to other servers. The server runs
> IPF, which also blocks access to NTP. The problem is, the servers
> don't seem to update the time at all. I know ntp is running because it
> updates the driftfile, and ps shows it's active:
> 
> # ps -aux | grep ntp
> root           81  0.0  0.2  1328  960  ??  Ss    9Jan04   1:06.65
> /usr/sbin/ntpd -p /var/run/ntpd.pid
> root           83  0.0  0.2  1364  992  ??  S     9Jan04   0:15.67
> /usr/sbin/ntpd -p /var/run/ntpd.pid
> root        47532  0.0  0.0   304  164  p0  R+    2:14AM   0:00.00
> grep ntp
> 
> I can't seem to connect to it locally, however:
> 
> # ntpq -p
> 127.0.0.1: timed out, nothing received
> ***Request timed out
> 
> It is properly started from rc.conf:
> 
> # cat /etc/rc.conf | grep ntp
> xntpd_enable="YES"
> 
> And it does seem to be started during bootup:
> 
> # cat /var/log/messages | grep ntp
> Jan  4 01:27:43 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0
> Jan  4 01:27:43 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0
> intpin 2
> Jan  4 01:27:43 boudica ntpd[82]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT
> 2003(1)
> Jan  4 01:27:43 boudica ntpd[82]: kernel time discipline status 2040
> Jan  9 20:51:21 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0
> Jan  9 20:51:21 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0
> intpin 2
> Jan  9 20:51:21 boudica ntpd[81]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT
> 2003(1)
> Jan  9 20:51:21 boudica ntpd[81]: kernel time discipline status 2040
> 
> Does anyone have any advice? I'd prefer to leave the NTP port closed
> if possible. This problem is present for me on both FreeBSD 4.8 and
> 5.1. I have included my NTP configuration and IPF ruleset below incase
> it helps anyone.
> 
> ---ntp.conf---
> # cat /etc/ntp.conf
> server subitaneous.cpsc.ucalgary.ca prefer
> server tick.mit.edu
> server ntp1.cmc.ec.gc.ca
> server ntp2.cmc.ec.gc.ca
> server clock1.unc.edu
> 
> driftfile /etc/ntp.drift
> 
> restrict default ignore
> 
> ---ntp.drift---
> # cat /etc/ntp.drift
> 0.000
> 
> ---ipf.rules---
> # cat /etc/ipf.rules
> # Default deny
> block in on fxp0
> 
> # Pass in and out on loopback
> pass in quick on lo0
> pass out quick on lo0
> 
> # Anti-spoofing
> block in quick on fxp0 from 192.168.0.0/16 to any
> block in quick on fxp0 from 172.16.0.0/12 to any
> block in quick on fxp0 from 10.0.0.0/8 to any
> block in quick on fxp0 from 127.0.0.1/8 to any
> block in quick on fxp0 from 0.0.0.0/8 to any
> 
> # Allow certain useful ICMP packets
> pass in quick on fxp0 proto icmp from any to any icmp-type 0
> pass in quick on fxp0 proto icmp from any to any icmp-type 8
> pass in quick on fxp0 proto icmp from any to any icmp-type 11
> block in log quick on fxp0 proto icmp from any to any
> 
> # Allow outbound connections
> pass out quick on fxp0 proto tcp/udp from any to any keep state
> pass out quick on fxp0 proto icmp from any to any keep state
> 
> # Allow inbound useful packets
> pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep
> state keep frags # SSH
> pass in quick on fxp0 proto tcp from any to any port = 25 flags S keep
> state keep frags # SMTP
> pass in quick on fxp0 proto tcp from any to any port = 80 flags S keep
> state keep frags # HTTP
> pass in quick on fxp0 proto tcp from any to any port = 110 flags S
> keep state keep frags # POP
> pass in quick on fxp0 proto tcp from any to any port = 143 flags S
> keep state keep frags # IMAP
> pass in quick on fxp0 proto tcp from any to any port = 993 flags S
> keep state keep frags # IMAP/SSL
> 
> 
> 
> Thanks for your time,
> Edward Aronyk
> ed at 360i.ca
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"

Hi,

Not 100% sure on this but I think you need to include the loopback in
your server list in ntp.conf, especially since you're specifying
default ignore:

server 127.0.0.1

Cheers,
EB

More information about the freebsd-questions mailing list