Re: [chrony-users] firewalling chrony

[ Thread Index | Date Index | More Archives ]

On Tue, Mar 04, 2014 at 03:25:16PM +0100, Leo Baltus wrote:
> I'll cowardly wait for the 'separate sockets for each configured server'
> patch as I don't feel confident enough to do it myself.

This is now implemented in git. Can you please test it?

I saw some reports that some ISPs are now blocking incoming packets
with destination port 123 to prevent the NTP amplification attacks, so
I think this feature will now be even more useful and should be
enabled by default.

The client port number is set by the acquisitionport directive. With 0
(the default), for each configured server there is a separate
connected socket. With non-zero acquisitionport a common socket is
used for all servers and if acquisitionport is equal to the server
port, one socket (per address family) is used for all packets as

There is one thing I'm not really sure. The code binds all NTP
sockets to the address configured by the bindaddress directive. I'm
thinking if I should modify it so that only the server sockets are
bound to the address and not the client sockets. Anyone knows if there
is a use case where it would break things?

Miroslav Lichvar

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+