FAQ
Hello!

I would like to setup an NTP server for my Windows network using
CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
port 123 UDP. I have two NIC cards. One for internal network and one
for access internet. Both cards in private address range. The problem
is when I am using firewall described below the client cannot access
the server. No idea why. Without firewall everything works flawless.
So the problem is not in the NTP configuration. No idea why but with
disabled firewall the first query gives error but all other query is
work. I am using arpwatch to see what is happen on network (new
machines and so). Not know is that related to the problem or not.

First I had used the system-config-firewall generated firewall
(standard firewall with port 123:udp added). No success, client cannot
connect.

Next I made a script for myself and saved with 'service iptables save'
command. The configuration is:

eth0 10.0.0.99/24
eth1 10.0.1.10/24

The script for making firewall rules:
iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
denied: " --log-level 7
iptables -A INPUT -j DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

Windows client time server is set to 10.0.0.99. Just for sure I
enabled 123 TCP as well even I think that was unnecessary. The rule
which related to NTP (123 UDP) increments its packet and byte count
with 'iptables -L -n -v' so some connection was made. But no success
on sync.

Any idea what is wrong?

Bye,
a

Search Discussions

  • Earl Ramirez at Sep 2, 2012 at 4:37 am

    On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
    Hello!

    I would like to setup an NTP server for my Windows network using
    CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
    port 123 UDP. I have two NIC cards. One for internal network and one
    for access internet. Both cards in private address range. The problem
    is when I am using firewall described below the client cannot access
    the server. No idea why. Without firewall everything works flawless.
    So the problem is not in the NTP configuration. No idea why but with
    disabled firewall the first query gives error but all other query is
    work. I am using arpwatch to see what is happen on network (new
    machines and so). Not know is that related to the problem or not.

    First I had used the system-config-firewall generated firewall
    (standard firewall with port 123:udp added). No success, client cannot
    connect.

    Next I made a script for myself and saved with 'service iptables save'
    command. The configuration is:

    eth0 10.0.0.99/24
    eth1 10.0.1.10/24

    The script for making firewall rules:
    iptables -P INPUT ACCEPT
    iptables -F
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
    iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
    iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
    denied: " --log-level 7
    iptables -A INPUT -j DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    I might be wrong but I think you need to add the IP Address of the NTP
    server

    you can also use tcpdump to capture the traffic between the clients and
    the ntp server to see what is being blocked.

    # iptables -A OUTPUT -o eth0 -p udp -s <client IPs> --sport 123 -d <NTP
    Server IP> --dport 123 -m state --state NEW -j ACCEPT.
    Windows client time server is set to 10.0.0.99. Just for sure I
    enabled 123 TCP as well even I think that was unnecessary. The rule
    which related to NTP (123 UDP) increments its packet and byte count
    with 'iptables -L -n -v' so some connection was made. But no success
    on sync.

    Any idea what is wrong?

    Bye,
    a
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
    --


    Kind Regards
    Earl Ramirez
    GPG Key: http://trinipino.com/PublicKey.asc
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 316 bytes
    Desc: This is a digitally signed message part
    Url : http://lists.centos.org/pipermail/centos/attachments/20120902/6a430403/attachment.bin
  • Artifex Maximus at Sep 2, 2012 at 7:02 am

    On Sun, Sep 2, 2012 at 8:37 AM, Earl Ramirez wrote:
    On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
    Hello!

    I would like to setup an NTP server for my Windows network using
    CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
    port 123 UDP. I have two NIC cards. One for internal network and one
    for access internet. Both cards in private address range. The problem
    is when I am using firewall described below the client cannot access
    the server. No idea why. Without firewall everything works flawless.
    So the problem is not in the NTP configuration. No idea why but with
    disabled firewall the first query gives error but all other query is
    work. I am using arpwatch to see what is happen on network (new
    machines and so). Not know is that related to the problem or not.

    First I had used the system-config-firewall generated firewall
    (standard firewall with port 123:udp added). No success, client cannot
    connect.

    Next I made a script for myself and saved with 'service iptables save'
    command. The configuration is:

    eth0 10.0.0.99/24
    eth1 10.0.1.10/24

    The script for making firewall rules:
    iptables -P INPUT ACCEPT
    iptables -F
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
    iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
    iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
    denied: " --log-level 7
    iptables -A INPUT -j DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    I might be wrong but I think you need to add the IP Address of the NTP
    server
    Why? I am using a more general form of INPUT rule.
    you can also use tcpdump to capture the traffic between the clients and
    the ntp server to see what is being blocked.
    Thanks for your answer. Good idea and I'll do it.
    # iptables -A OUTPUT -o eth0 -p udp -s <client IPs> --sport 123 -d <NTP
    Server IP> --dport 123 -m state --state NEW -j ACCEPT.
    I am using

    iptables -P OUTPUT ACCEPT

    which allows all OUTPUT traffic on all interface as default rule. So I
    do not think that I need any more specific rule.

    Bye,
    a
  • Markus Falb at Sep 2, 2012 at 8:33 am

    On 2.9.2012 09:46, Artifex Maximus wrote:
    Hello!

    I would like to setup an NTP server for my Windows network using
    CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
    port 123 UDP. I have two NIC cards. One for internal network and one
    for access internet. Both cards in private address range. The problem
    is when I am using firewall described below the client cannot access
    the server. No idea why. Without firewall everything works flawless.
    So the problem is not in the NTP configuration. No idea why but with
    disabled firewall the first query gives error but all other query is
    work. I am using arpwatch to see what is happen on network (new
    machines and so). Not know is that related to the problem or not.

    First I had used the system-config-firewall generated firewall
    (standard firewall with port 123:udp added). No success, client cannot
    connect.

    Next I made a script for myself and saved with 'service iptables save'
    command. The configuration is:

    eth0 10.0.0.99/24
    eth1 10.0.1.10/24

    The script for making firewall rules:
    iptables -P INPUT ACCEPT
    iptables -F
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
    iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
    iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
    denied: " --log-level 7
    iptables -A INPUT -j DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    you must ACCEPT ntp in the FORWARD chain.
    http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html
    --
    Kind Regards, Markus Falb

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: signature.asc
    Type: application/pgp-signature
    Size: 304 bytes
    Desc: OpenPGP digital signature
    Url : http://lists.centos.org/pipermail/centos/attachments/20120902/d0c5ceec/attachment.bin
  • Artifex Maximus at Sep 2, 2012 at 12:22 pm

    On Sun, Sep 2, 2012 at 2:33 PM, Markus Falb wrote:
    On 2.9.2012 09:46, Artifex Maximus wrote:
    Hello!

    I would like to setup an NTP server for my Windows network using
    CentOS 6.3 with firewall turned on. As I learned the NTP protocol uses
    port 123 UDP. I have two NIC cards. One for internal network and one
    for access internet. Both cards in private address range. The problem
    is when I am using firewall described below the client cannot access
    the server. No idea why. Without firewall everything works flawless.
    So the problem is not in the NTP configuration. No idea why but with
    disabled firewall the first query gives error but all other query is
    work. I am using arpwatch to see what is happen on network (new
    machines and so). Not know is that related to the problem or not.

    First I had used the system-config-firewall generated firewall
    (standard firewall with port 123:udp added). No success, client cannot
    connect.

    Next I made a script for myself and saved with 'service iptables save'
    command. The configuration is:

    eth0 10.0.0.99/24
    eth1 10.0.1.10/24

    The script for making firewall rules:
    iptables -P INPUT ACCEPT
    iptables -F
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
    iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
    iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
    denied: " --log-level 7
    iptables -A INPUT -j DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    you must ACCEPT ntp in the FORWARD chain.
    http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html
    Thanks. Why?

    "If it's destined for this box, the packet passes downwards in the
    diagram, to the INPUT chain. If it passes this, any processes waiting
    for that packet will receive it."

    The packet destination is my server because NTP server is there so it
    passes to input box where 123 UDP is enabled. If I read the how-to
    correctly.

    Bye,
    a
  • Markus Falb at Sep 3, 2012 at 4:41 am

    On 2.9.2012 18:22, Artifex Maximus wrote:
    On Sun, Sep 2, 2012 at 2:33 PM, Markus Falb wrote:
    On 2.9.2012 09:46, Artifex Maximus wrote:
    Hello!

    I would like to setup an NTP server for my Windows network using
    CentOS 6.3 with firewall turned on.
    ...
    The script for making firewall rules:
    iptables -P INPUT ACCEPT
    iptables -F
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p udp --dport 123 -j ACCEPT
    iptables -A INPUT -i eth0 -s 10.0.0.0/24 -p tcp --dport 123 -j ACCEPT
    iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
    denied: " --log-level 7
    iptables -A INPUT -j DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    you must ACCEPT ntp in the FORWARD chain.
    http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-6.html
    Thanks. Why? ...
    The packet destination is my server because NTP server is there so it
    passes to input box where 123 UDP is enabled. If I read the how-to
    correctly.
    I thought you wanted to forward to another host. I think I was confused
    because you mentioned the 2 NIC cards. Sorry.
    --
    Kind Regards, Markus Falb

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: signature.asc
    Type: application/pgp-signature
    Size: 304 bytes
    Desc: OpenPGP digital signature
    Url : http://lists.centos.org/pipermail/centos/attachments/20120903/dc8c5b30/attachment.bin
  • Leonard den Ottolander at Sep 3, 2012 at 7:15 am

    On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
    Any idea what is wrong?
    The iptables rules you specify only allow clients from your local
    network access to your "proxy" ntp server. However, you do not specify
    any rules for eth1 to allow that ntp server to synchronise with the
    remote servers it is using. So unless you are using a local time source
    that might be your problem.

    Btw, when specifying rules for the external ntp servers you might want
    to specify IPs as well to restrict access.

    Regards,
    Leonard.

    --
    mount -t life -o ro /dev/dna /genetic/research
  • Philippe Naudin at Sep 3, 2012 at 8:00 am

    Le lun. 03 sept. 2012 13:15:41 CEST, Leonard den Ottolander a ?crit:
    On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
    Any idea what is wrong?
    The iptables rules you specify only allow clients from your local
    network access to your "proxy" ntp server. However, you do not specify
    any rules for eth1 to allow that ntp server to synchronise with the
    remote servers it is using. So unless you are using a local time source
    that might be your problem.
    I don't think this is the problem : the firewall accept everything in
    the output chain, and established/related in input : my ntp server
    works fine with the same rules (123/tcp is indeed useless).

    For me, the problem is not ntp+iptables, or it should appears in
    /var/log/messages, thanks to the -j LOG.
    There can be something wrong in ntp.conf (but this is probably not the
    case since it works without firewall), in the firewall (for example, if
    it blocks DNS requests), or in the network configuration.

    Regards,

    --
    Philippe Naudin
  • Giles Coochey at Sep 3, 2012 at 8:32 am

    On 03/09/2012 13:00, Philippe Naudin wrote:
    Le lun. 03 sept. 2012 13:15:41 CEST, Leonard den Ottolander a ?crit:
    On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
    Any idea what is wrong?
    The iptables rules you specify only allow clients from your local
    network access to your "proxy" ntp server. However, you do not specify
    any rules for eth1 to allow that ntp server to synchronise with the
    remote servers it is using. So unless you are using a local time source
    that might be your problem.
    I don't think this is the problem : the firewall accept everything in
    the output chain, and established/related in input : my ntp server
    works fine with the same rules (123/tcp is indeed useless).

    For me, the problem is not ntp+iptables, or it should appears in
    /var/log/messages, thanks to the -j LOG.
    There can be something wrong in ntp.conf (but this is probably not the
    case since it works without firewall), in the firewall (for example, if
    it blocks DNS requests), or in the network configuration.

    Regards,
    Does 'ntpq -p' show your server actually syncing with ntp hosts?

    --
    Regards,

    Giles Coochey, CCNA, CCNAS
    NetSecSpec Ltd
    +44 (0) 7983 877438
    http://www.coochey.net
    http://www.netsecspec.co.uk
    giles at coochey.net
  • Artifex Maximus at Sep 3, 2012 at 10:18 am

    On Mon, Sep 3, 2012 at 11:15 AM, Leonard den Ottolander wrote:
    On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
    Any idea what is wrong?
    The iptables rules you specify only allow clients from your local
    network access to your "proxy" ntp server. However, you do not specify
    any rules for eth1 to allow that ntp server to synchronise with the
    remote servers it is using. So unless you are using a local time source
    that might be your problem.

    Btw, when specifying rules for the external ntp servers you might want
    to specify IPs as well to restrict access.
    Thanks. You are right ntp proxy is absolutely what I want. Mine
    description was not clean probably. So this is the setup:

    GPSNTP(10.0.1.99/24) - eth1 myserver eth0 - clients(10.0.0.0/24)

    Because GPSNTP is on a physically separated network I need this proxy
    for my clients. My server is able to synchronize with GPSNTP so rules
    are fine for that (because my output chain is ACCEPT per default). My
    clients whom are cannot synchronize with my server even if I allow NTP
    port which I do not understand.

    Bye,
    a
  • Giles Coochey at Sep 3, 2012 at 10:32 am

    On 03/09/2012 15:18, Artifex Maximus wrote:
    On Mon, Sep 3, 2012 at 11:15 AM, Leonard den Ottolander
    wrote:
    On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:
    Any idea what is wrong?
    The iptables rules you specify only allow clients from your local
    network access to your "proxy" ntp server. However, you do not specify
    any rules for eth1 to allow that ntp server to synchronise with the
    remote servers it is using. So unless you are using a local time source
    that might be your problem.

    Btw, when specifying rules for the external ntp servers you might want
    to specify IPs as well to restrict access.
    Thanks. You are right ntp proxy is absolutely what I want. Mine
    description was not clean probably. So this is the setup:

    GPSNTP(10.0.1.99/24) - eth1 myserver eth0 - clients(10.0.0.0/24)

    Because GPSNTP is on a physically separated network I need this proxy
    for my clients. My server is able to synchronize with GPSNTP so rules
    are fine for that (because my output chain is ACCEPT per default). My
    clients whom are cannot synchronize with my server even if I allow NTP
    port which I do not understand.
    So at this stage, doing a "tcpdump -i eth0 -s 0 -w capture.cap" and
    getting one of your clients to try to sync time with your server and
    then repeating this with the firewall turned off (when it purportedly
    works) ought to give you enough information to be able to view the
    packet capture and see what is going wrong.

    --
    Regards,

    Giles Coochey, CCNA, CCNAS
    NetSecSpec Ltd
    +44 (0) 7983 877438
    http://www.coochey.net
    http://www.netsecspec.co.uk
    giles at coochey.net
  • Artifex Maximus at Sep 4, 2012 at 2:31 am

    On Mon, Sep 3, 2012 at 4:32 PM, Giles Coochey wrote:
    On 03/09/2012 15:18, Artifex Maximus wrote:

    On Mon, Sep 3, 2012 at 11:15 AM, Leonard den Ottolander
    wrote:
    On Sun, 2012-09-02 at 07:46 +0000, Artifex Maximus wrote:

    Any idea what is wrong?
    The iptables rules you specify only allow clients from your local
    network access to your "proxy" ntp server. However, you do not specify
    any rules for eth1 to allow that ntp server to synchronise with the
    remote servers it is using. So unless you are using a local time source
    that might be your problem.

    Btw, when specifying rules for the external ntp servers you might want
    to specify IPs as well to restrict access.
    Thanks. You are right ntp proxy is absolutely what I want. Mine
    description was not clean probably. So this is the setup:

    GPSNTP(10.0.1.99/24) - eth1 myserver eth0 - clients(10.0.0.0/24)

    Because GPSNTP is on a physically separated network I need this proxy
    for my clients. My server is able to synchronize with GPSNTP so rules
    are fine for that (because my output chain is ACCEPT per default). My
    clients whom are cannot synchronize with my server even if I allow NTP
    port which I do not understand.
    So at this stage, doing a "tcpdump -i eth0 -s 0 -w capture.cap" and getting
    one of your clients to try to sync time with your server and then repeating
    this with the firewall turned off (when it purportedly works) ought to give
    you enough information to be able to view the packet capture and see what is
    going wrong.
    Thanks for the answer. I did tcpdump with turned on firewall but not
    exactly what you suggest. The command was:

    tcpdump -i eth0 -c 50 -nn -N -s 0 -vv port 123

    and the result is:

    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
    65535 bytes
    16:39:13.653674 IP (tos 0x0, ttl 128, id 23478, offset 0, flags
    [none], proto UDP (17), length 76)
    10.0.1.178.123 > 10.0.0.99.123: [udp sum ok] NTPv3, length 48
    symmetric active, Leap indicator: clock unsynchronized (192),
    Stratum 0 (unspecified), poll 4s, precision -6
    Root Delay: 0.000610, Root dispersion: 9.049407, Reference-ID: (unspec)
    Reference Timestamp: 3555678802.057624999 (2012/09/03 16:33:22)
    Originator Timestamp: 0.000000000
    Receive Timestamp: 0.000000000
    Transmit Timestamp: 3555679152.630750000 (2012/09/03 16:39:12)
    Originator - Receive Timestamp: 0.000000000
    Originator - Transmit Timestamp: 3555679152.630750000
    (2012/09/03 16:39:12)

    16:39:43.145984 IP (tos 0x0, ttl 128, id 24616, offset 0, flags
    [none], proto UDP (17), length 76)
    10.0.0.150.123 > 10.0.0.99.123: [udp sum ok] NTPv3, length 48
    symmetric active, Leap indicator: clock unsynchronized (192),
    Stratum 0 (unspecified), poll 4s, precision -6
    Root Delay: 0.000610, Root dispersion: 9.049407, Reference-ID: (unspec)
    Reference Timestamp: 3555678802.057624999 (2012/09/03 16:33:22)
    Originator Timestamp: 0.000000000
    Receive Timestamp: 0.000000000
    Transmit Timestamp: 3555679182.130750000 (2012/09/03 16:39:42)
    Originator - Receive Timestamp: 0.000000000
    Originator - Transmit Timestamp: 3555679182.130750000
    (2012/09/03 16:39:42)
    16:39:43.145991 IP (tos 0x0, ttl 128, id 24617, offset 0, flags
    [none], proto UDP (17), length 76)
    10.0.1.178.123 > 10.0.0.99.123: [udp sum ok] NTPv3, length 48
    symmetric active, Leap indicator: clock unsynchronized (192),
    Stratum 0 (unspecified), poll 4s, precision -6
    Root Delay: 0.000610, Root dispersion: 9.049407, Reference-ID: (unspec)
    Reference Timestamp: 3555678802.057624999 (2012/09/03 16:33:22)
    Originator Timestamp: 0.000000000
    Receive Timestamp: 0.000000000
    Transmit Timestamp: 3555679182.130750000 (2012/09/03 16:39:42)
    Originator - Receive Timestamp: 0.000000000
    Originator - Transmit Timestamp: 3555679182.130750000
    (2012/09/03 16:39:42)
    16:39:43.146020 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
    UDP (17), length 76)
    10.0.0.99.123 > 10.0.0.150.123: [bad udp cksum 9133!] NTPv3, length 48
    symmetric active, Leap indicator: (0), Stratum 2 (secondary
    reference), poll 4s, precision -23
    Root Delay: 0.000625, Root dispersion: 0.043029, Reference-ID: 10.0.1.99
    Reference Timestamp: 3555677676.775420963 (2012/09/03 16:14:36)
    Originator Timestamp: 3555679182.130750000 (2012/09/03 16:39:42)
    Receive Timestamp: 3555679183.145983964 (2012/09/03 16:39:43)
    Transmit Timestamp: 3555679183.146011888 (2012/09/03 16:39:43)
    Originator - Receive Timestamp: +1.015233964
    Originator - Transmit Timestamp: +1.015261886

    The first time (16:39:13.653674) client cannot sync to the server but
    second time (16:39:43.145984) that was successful even if there is a
    'bad udp cksum'. BTW, is it normal? Tcpdump says there was traffic and
    sync happened later so rule is OK I think.

    When tried later sync needs three tries for success. Other time needs
    only one. Might depend on Moon phase. It looks like I have some
    network equipment related problem as well. Therefore I have to talk
    with some Cisco expert.

    At the moment I have problem with rsyslogd because there is no log of
    denied packets but that is another story. :-)

    Thanks for all of your help!

    Bye,
    a
  • Giles Coochey at Sep 4, 2012 at 4:36 am

    On 04/09/2012 07:31, Artifex Maximus wrote:
    The first time (16:39:13.653674) client cannot sync to the server but
    second time (16:39:43.145984) that was successful even if there is a
    'bad udp cksum'. BTW, is it normal? Tcpdump says there was traffic and
    sync happened later so rule is OK I think.

    When tried later sync needs three tries for success. Other time needs
    only one. Might depend on Moon phase. It looks like I have some
    network equipment related problem as well. Therefore I have to talk
    with some Cisco expert.

    At the moment I have problem with rsyslogd because there is no log of
    denied packets but that is another story. :-)

    Thanks for all of your help!
    Without seeing the full timeline of events, you should bear in mind that
    there will be a gap between the time that an NTP server is started
    before other clocks are allowed to sync to it. This makes sense as you
    wouldn't want to sync time to a source that itself isn't reliable. Once
    the NTP server fulfils some criteria and believes it's clock to be
    reliable, it will allow other systems to sync to it.

    --
    Regards,

    Giles Coochey, CCNA, CCNAS
    NetSecSpec Ltd
    +44 (0) 7983 877438
    http://www.coochey.net
    http://www.netsecspec.co.uk
    giles at coochey.net
  • Artifex Maximus at Sep 4, 2012 at 6:18 am

    On Tue, Sep 4, 2012 at 10:36 AM, Giles Coochey wrote:
    On 04/09/2012 07:31, Artifex Maximus wrote:


    The first time (16:39:13.653674) client cannot sync to the server but
    second time (16:39:43.145984) that was successful even if there is a
    'bad udp cksum'. BTW, is it normal? Tcpdump says there was traffic and
    sync happened later so rule is OK I think.

    When tried later sync needs three tries for success. Other time needs
    only one. Might depend on Moon phase. It looks like I have some
    network equipment related problem as well. Therefore I have to talk
    with some Cisco expert.

    At the moment I have problem with rsyslogd because there is no log of
    denied packets but that is another story. :-)

    Thanks for all of your help!
    Without seeing the full timeline of events, you should bear in mind that
    there will be a gap between the time that an NTP server is started before
    other clocks are allowed to sync to it. This makes sense as you wouldn't
    want to sync time to a source that itself isn't reliable. Once the NTP
    server fulfils some criteria and believes it's clock to be reliable, it will
    allow other systems to sync to it.
    I know and respect that. I tried only after my NTP was synchronized
    and declared as reliable. Otherwise I get some stratum error on client
    which is normal I think.

    Bye,
    a
  • Leonard den Ottolander at Sep 3, 2012 at 12:56 pm

    On Mon, 2012-09-03 at 14:18 +0000, Artifex Maximus wrote:
    My server is able to synchronize with GPSNTP so rules
    are fine for that (because my output chain is ACCEPT per default).
    And related traffic is allowed too, yes, I overlooked that.

    Are you sure your windows clients have addresses in the 10.0.0.x range
    and not 10.x.y.z and the netmask on eth0 is 24 not 8 (which is the
    default)?

    Regards,
    Leonard.

    --
    mount -t life -o ro /dev/dna /genetic/research

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedSep 2, '12 at 3:46a
activeSep 4, '12 at 6:18a
posts15
users6
websitecentos.org
irc#centos

People

Translate

site design / logo © 2022 Grokbase