Re: [chrony-users] firewalling chrony

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] firewalling chrony
From: Leo Baltus <Leo.Baltus@xxxxxxxxx>
Date: Fri, 28 Feb 2014 12:40:05 +0100

Op 27/02/2014 om 08:38:59 -0800, schreef Bill Unruh:
> On Thu, 27 Feb 2014, Leo Baltus wrote:
> 
> >Op 11/02/2014 om 09:31:36 +0100, schreef Leo Baltus:
> >>Op 10/02/2014 om 12:39:19 +0100, schreef Miroslav Lichvar:
> >>>On Fri, Feb 07, 2014 at 06:30:52PM +0100, Leo Baltus wrote:
> >>>>Hi,
> >>>>
> >>>>It seems that chronyd, when acting as a client uses both srcport 1024
> >>>>through 65535 as well as port 123 to query external ntp-servers.
> >>>
> >>>The port above 1024 is used with the initstepslew option.
> >>>
> >>>>It makes discriminating between server traffic and client traffic
> >>>>hard as both use packets with dstport=123 and srcport=123
> >>>>
> >>>>I think ntpd does this as well, so I wonder is this mandated by
> >>>>the protocol?
> >>>
> >>>I think it's not required by NTP specification to use source port 123
> >>>for client requests.
> >>>
> >>>>If not how can I tell chronyd not to use srcport=123 when querying
> >>>>external servers while still serve ntp on port 123 to its clients?
> >>>
> >>>With the current code you can't. There is only one socket per address
> >>>family used for all NTP networking. You could inspect the packets in
> >>>the firewall to see which mode they are, or you could run two
> >>>instances of chronyd, one configured as a client and the other as a
> >>>server with "local stratum" enabled.
> >>>
> >>
> >>Interesting suggestion, thanks.
> >>
> >
> >That seems to work nicely, thanks again for the suggestion.
> >
> >One thing though, when running two instances the 'local stratum'
> >instance no longer get upstream information like leap seconds, how
> >bad is that?
> 
> It means that once every couple of years or so, on Jan1 or Jul 1 the
> client system will suddenly be out by one second and will take a while
> to get rid of that time offset ( most likely a few maxpoll intervals).
> >
> 

Thanks :)

-- 
Leo Baltus, internetbeheerder
NPO ICT Internet Services
Bart de Graaffweg 2, 1217 ZL Hilversum
servicedesk@xxxxxxxxx, 035-6773555

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

References:
- [chrony-users] firewalling chrony
  - From: Leo Baltus
- Re: [chrony-users] firewalling chrony
  - From: Miroslav Lichvar
- Re: [chrony-users] firewalling chrony
  - From: Leo Baltus
- Re: [chrony-users] firewalling chrony
  - From: Leo Baltus
- Re: [chrony-users] firewalling chrony
  - From: Bill Unruh

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-users] chrony with only 2 sources
Next by Date: Re: [chrony-users] tempcomp.log not created (on Fedora 17 & 20) when chronyd started from systemd
Previous by thread: Re: [chrony-users] firewalling chrony
Next by thread: Re: [chrony-users] firewalling chrony

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/