Re: [chrony-users] firewalling chrony

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


Op 10/02/2014 om 12:39:19 +0100, schreef Miroslav Lichvar:
> On Fri, Feb 07, 2014 at 06:30:52PM +0100, Leo Baltus wrote:
> > Hi,
> > 
> > It seems that chronyd, when acting as a client uses both srcport 1024
> > through 65535 as well as port 123 to query external ntp-servers.
> 
> The port above 1024 is used with the initstepslew option.
> 
> > It makes discriminating between server traffic and client traffic
> > hard as both use packets with dstport=123 and srcport=123
> > 
> > I think ntpd does this as well, so I wonder is this mandated by
> > the protocol?
> 
> I think it's not required by NTP specification to use source port 123
> for client requests.
> 
> > If not how can I tell chronyd not to use srcport=123 when querying
> > external servers while still serve ntp on port 123 to its clients?
> 
> With the current code you can't. There is only one socket per address
> family used for all NTP networking. You could inspect the packets in
> the firewall to see which mode they are, or you could run two
> instances of chronyd, one configured as a client and the other as a
> server with "local stratum" enabled.
> 

Interesting suggestion, thanks.

Having separate sockets for client and server traffic would certainly be
the better option. Do you have any plans for implementing this?

-- 
Leo Baltus, internetbeheerder                         /\
NPO ICT Internet Services                            /NPO/\
Sumatralaan 45, 1217 GP Hilversum, Filmcentrum, west \  /\/
servicedesk@xxxxxxxxx, 035-6773555                    \/

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/