| Re: [chrony-users] firewalling chrony |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
Op 10/02/2014 om 12:39:19 +0100, schreef Miroslav Lichvar:
> On Fri, Feb 07, 2014 at 06:30:52PM +0100, Leo Baltus wrote:
> > Hi,
> >
> > It seems that chronyd, when acting as a client uses both srcport 1024
> > through 65535 as well as port 123 to query external ntp-servers.
>
> The port above 1024 is used with the initstepslew option.
>
> > It makes discriminating between server traffic and client traffic
> > hard as both use packets with dstport=123 and srcport=123
> >
> > I think ntpd does this as well, so I wonder is this mandated by
> > the protocol?
>
> I think it's not required by NTP specification to use source port 123
> for client requests.
>
> > If not how can I tell chronyd not to use srcport=123 when querying
> > external servers while still serve ntp on port 123 to its clients?
>
> With the current code you can't. There is only one socket per address
> family used for all NTP networking. You could inspect the packets in
> the firewall to see which mode they are, or you could run two
> instances of chronyd, one configured as a client and the other as a
> server with "local stratum" enabled.
>
Interesting suggestion, thanks.
Having separate sockets for client and server traffic would certainly be
the better option. Do you have any plans for implementing this?
--
Leo Baltus, internetbeheerder /\
NPO ICT Internet Services /NPO/\
Sumatralaan 45, 1217 GP Hilversum, Filmcentrum, west \ /\/
servicedesk@xxxxxxxxx, 035-6773555 \/
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.