Re: [chrony-users] firewalling chrony

[ Thread Index | Date Index | More Archives ]

On Fri, Feb 07, 2014 at 06:30:52PM +0100, Leo Baltus wrote:
> Hi,
> It seems that chronyd, when acting as a client uses both srcport 1024
> through 65535 as well as port 123 to query external ntp-servers.

The port above 1024 is used with the initstepslew option.

> It makes discriminating between server traffic and client traffic
> hard as both use packets with dstport=123 and srcport=123
> I think ntpd does this as well, so I wonder is this mandated by
> the protocol?

I think it's not required by NTP specification to use source port 123
for client requests.

> If not how can I tell chronyd not to use srcport=123 when querying
> external servers while still serve ntp on port 123 to its clients?

With the current code you can't. There is only one socket per address
family used for all NTP networking. You could inspect the packets in
the firewall to see which mode they are, or you could run two
instances of chronyd, one configured as a client and the other as a
server with "local stratum" enabled.

Miroslav Lichvar

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+