Re: [chrony-users] firewalling chrony

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] firewalling chrony
From: Leo Baltus <Leo.Baltus@xxxxxxxxx>
Date: Thu, 27 Mar 2014 14:57:49 +0100

Op 25/03/2014 om 15:45:35 +0100, schreef Miroslav Lichvar:
> On Tue, Mar 04, 2014 at 03:25:16PM +0100, Leo Baltus wrote:
> > I'll cowardly wait for the 'separate sockets for each configured server'
> > patch as I don't feel confident enough to do it myself.
> 
> This is now implemented in git. Can you please test it?
> 

Great!

This is running nicely now for a couple of hours. I don't see any weird
things in the logs. It also works nicely over ipv6.

The randomness of the source ports is not what I was expecting however.
Comparing this with DNS it strikes me that source ports are beeing reused.

Looking at the connection table (netstat -anu) the socket stays open:

udp  0  0 145.58.30.x:41649         95.85.59.120:123            ESTABLISHED 
udp  0  0 145.58.30.x:43513         129.250.35.251:123          ESTABLISHED 
udp  0  0 2a02:458:101:30::x:52019  2a02:348:54:5132::1:123     ESTABLISHED 

I am not sure if this is intentional.

> I saw some reports that some ISPs are now blocking incoming packets
> with destination port 123 to prevent the NTP amplification attacks, so
> I think this feature will now be even more useful and should be
> enabled by default.
> 
> The client port number is set by the acquisitionport directive. With 0
> (the default), for each configured server there is a separate
> connected socket. With non-zero acquisitionport a common socket is
> used for all servers and if acquisitionport is equal to the server
> port, one socket (per address family) is used for all packets as
> before.
> 
> There is one thing I'm not really sure. The code binds all NTP
> sockets to the address configured by the bindaddress directive. I'm
> thinking if I should modify it so that only the server sockets are
> bound to the address and not the client sockets. Anyone knows if there
> is a use case where it would break things?
> 

Just a thought, I think it could be useful to separate this out on
different ip-addresses.

Maybe you could introduce server-bindaddress and client-bindaddress
which would take their default from bindaddress and use the null-address
to specify INADDR_ANY?

-- 
Leo Baltus, internetbeheerder
NPO ICT Internet Services
Bart de Graaffweg 2, 1217 ZL Hilversum
servicedesk@xxxxxxxxx, 035-6773555

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

References:
- Re: [chrony-users] firewalling chrony
  - From: Leo Baltus
- Re: [chrony-users] firewalling chrony
  - From: Miroslav Lichvar

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] chronyc command for local chronyd and firewalld seem to interfere
Previous by thread: Re: [chrony-users] firewalling chrony
Next by thread: [chrony-users] Displaying chrony status

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/