|Re: [chrony-users] firewalling chrony|
[ Thread Index |
| More chrony.tuxfamily.org/chrony-users Archives
Op 10/02/2014 om 12:39:19 +0100, schreef Miroslav Lichvar:
> On Fri, Feb 07, 2014 at 06:30:52PM +0100, Leo Baltus wrote:
> > Hi,
> > It seems that chronyd, when acting as a client uses both srcport 1024
> > through 65535 as well as port 123 to query external ntp-servers.
> The port above 1024 is used with the initstepslew option.
> > It makes discriminating between server traffic and client traffic
> > hard as both use packets with dstport=123 and srcport=123
> > I think ntpd does this as well, so I wonder is this mandated by
> > the protocol?
> I think it's not required by NTP specification to use source port 123
> for client requests.
> > If not how can I tell chronyd not to use srcport=123 when querying
> > external servers while still serve ntp on port 123 to its clients?
> With the current code you can't. There is only one socket per address
> family used for all NTP networking. You could inspect the packets in
> the firewall to see which mode they are, or you could run two
> instances of chronyd, one configured as a client and the other as a
> server with "local stratum" enabled.
Interesting suggestion, thanks.
Having separate sockets for client and server traffic would certainly be
the better option. Do you have any plans for implementing this?
Leo Baltus, internetbeheerder /\
NPO ICT Internet Services /NPO/\
Sumatralaan 45, 1217 GP Hilversum, Filmcentrum, west \ /\/
servicedesk@xxxxxxxxx, 035-6773555 \/
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.