NTP doesn't work behind IPF firewall?
Edward Aronyk
earonyk at 360i.ca
Thu Jan 22 01:21:59 PST 2004
Good day all,
I'm attempting to setup NTP on two FreeBSD servers. To maximize security, I
have configured NTP to only synchronize itself from a few other servers, and
not offer NTP to other servers. The server runs IPF, which also blocks
access to NTP. The problem is, the servers don't seem to update the time at
all. I know ntp is running because it updates the driftfile, and ps shows
it's active:
# ps -aux | grep ntp
root 81 0.0 0.2 1328 960 ?? Ss 9Jan04 1:06.65
/usr/sbin/ntpd -p /var/run/ntpd.pid
root 83 0.0 0.2 1364 992 ?? S 9Jan04 0:15.67
/usr/sbin/ntpd -p /var/run/ntpd.pid
root 47532 0.0 0.0 304 164 p0 R+ 2:14AM 0:00.00 grep ntp
I can't seem to connect to it locally, however:
# ntpq -p
127.0.0.1: timed out, nothing received
***Request timed out
It is properly started from rc.conf:
# cat /etc/rc.conf | grep ntp
xntpd_enable="YES"
And it does seem to be started during bootup:
# cat /var/log/messages | grep ntp
Jan 4 01:27:43 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0
Jan 4 01:27:43 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0 intpin
2
Jan 4 01:27:43 boudica ntpd[82]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT 2003
(1)
Jan 4 01:27:43 boudica ntpd[82]: kernel time discipline status 2040
Jan 9 20:51:21 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0
Jan 9 20:51:21 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0 intpin
2
Jan 9 20:51:21 boudica ntpd[81]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT 2003
(1)
Jan 9 20:51:21 boudica ntpd[81]: kernel time discipline status 2040
Does anyone have any advice? I'd prefer to leave the NTP port closed if
possible. This problem is present for me on both FreeBSD 4.8 and 5.1. I have
included my NTP configuration and IPF ruleset below incase it helps anyone.
---ntp.conf---
# cat /etc/ntp.conf
server subitaneous.cpsc.ucalgary.ca prefer
server tick.mit.edu
server ntp1.cmc.ec.gc.ca
server ntp2.cmc.ec.gc.ca
server clock1.unc.edu
driftfile /etc/ntp.drift
restrict default ignore
---ntp.drift---
# cat /etc/ntp.drift
0.000
---ipf.rules---
# cat /etc/ipf.rules
# Default deny
block in on fxp0
# Pass in and out on loopback
pass in quick on lo0
pass out quick on lo0
# Anti-spoofing
block in quick on fxp0 from 192.168.0.0/16 to any
block in quick on fxp0 from 172.16.0.0/12 to any
block in quick on fxp0 from 10.0.0.0/8 to any
block in quick on fxp0 from 127.0.0.1/8 to any
block in quick on fxp0 from 0.0.0.0/8 to any
# Allow certain useful ICMP packets
pass in quick on fxp0 proto icmp from any to any icmp-type 0
pass in quick on fxp0 proto icmp from any to any icmp-type 8
pass in quick on fxp0 proto icmp from any to any icmp-type 11
block in log quick on fxp0 proto icmp from any to any
# Allow outbound connections
pass out quick on fxp0 proto tcp/udp from any to any keep state
pass out quick on fxp0 proto icmp from any to any keep state
# Allow inbound useful packets
pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep state
keep frags # SSH
pass in quick on fxp0 proto tcp from any to any port = 25 flags S keep state
keep frags # SMTP
pass in quick on fxp0 proto tcp from any to any port = 80 flags S keep state
keep frags # HTTP
pass in quick on fxp0 proto tcp from any to any port = 110 flags S keep
state keep frags # POP
pass in quick on fxp0 proto tcp from any to any port = 143 flags S keep
state keep frags # IMAP
pass in quick on fxp0 proto tcp from any to any port = 993 flags S keep
state keep frags # IMAP/SSL
Thanks for your time,
Edward Aronyk
ed at 360i.ca
More information about the freebsd-questions
mailing list