Re: [chrony-users] firewalling chrony

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


Op 11/02/2014 om 09:31:36 +0100, schreef Leo Baltus:
> Op 10/02/2014 om 12:39:19 +0100, schreef Miroslav Lichvar:
> > On Fri, Feb 07, 2014 at 06:30:52PM +0100, Leo Baltus wrote:
> > > Hi,
> > > 
> > > It seems that chronyd, when acting as a client uses both srcport 1024
> > > through 65535 as well as port 123 to query external ntp-servers.
> > 
> > The port above 1024 is used with the initstepslew option.
> > 
> > > It makes discriminating between server traffic and client traffic
> > > hard as both use packets with dstport=123 and srcport=123
> > > 
> > > I think ntpd does this as well, so I wonder is this mandated by
> > > the protocol?
> > 
> > I think it's not required by NTP specification to use source port 123
> > for client requests.
> > 
> > > If not how can I tell chronyd not to use srcport=123 when querying
> > > external servers while still serve ntp on port 123 to its clients?
> > 
> > With the current code you can't. There is only one socket per address
> > family used for all NTP networking. You could inspect the packets in
> > the firewall to see which mode they are, or you could run two
> > instances of chronyd, one configured as a client and the other as a
> > server with "local stratum" enabled.
> > 
> 
> Interesting suggestion, thanks.
> 

That seems to work nicely, thanks again for the suggestion.

One thing though, when running two instances the 'local stratum'
instance no longer get upstream information like leap seconds, how
bad is that?

-- 
Leo Baltus, internetbeheerder
NPO ICT Internet Services
Bart de Graaffweg 2, 1217 ZL Hilversum
servicedesk@xxxxxxxxx, 035-6773555

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/