Re: [chrony-users] firewalling chrony

[ Thread Index | Date Index | More Archives ]

Op 25/03/2014 om 15:45:35 +0100, schreef Miroslav Lichvar:
> On Tue, Mar 04, 2014 at 03:25:16PM +0100, Leo Baltus wrote:
> > I'll cowardly wait for the 'separate sockets for each configured server'
> > patch as I don't feel confident enough to do it myself.
> This is now implemented in git. Can you please test it?


This is running nicely now for a couple of hours. I don't see any weird
things in the logs. It also works nicely over ipv6.

The randomness of the source ports is not what I was expecting however.
Comparing this with DNS it strikes me that source ports are beeing reused.

Looking at the connection table (netstat -anu) the socket stays open:

udp  0  0 145.58.30.x:41649            ESTABLISHED 
udp  0  0 145.58.30.x:43513          ESTABLISHED 
udp  0  0 2a02:458:101:30::x:52019  2a02:348:54:5132::1:123     ESTABLISHED 

I am not sure if this is intentional.

> I saw some reports that some ISPs are now blocking incoming packets
> with destination port 123 to prevent the NTP amplification attacks, so
> I think this feature will now be even more useful and should be
> enabled by default.
> The client port number is set by the acquisitionport directive. With 0
> (the default), for each configured server there is a separate
> connected socket. With non-zero acquisitionport a common socket is
> used for all servers and if acquisitionport is equal to the server
> port, one socket (per address family) is used for all packets as
> before.
> There is one thing I'm not really sure. The code binds all NTP
> sockets to the address configured by the bindaddress directive. I'm
> thinking if I should modify it so that only the server sockets are
> bound to the address and not the client sockets. Anyone knows if there
> is a use case where it would break things?

Just a thought, I think it could be useful to separate this out on
different ip-addresses.

Maybe you could introduce server-bindaddress and client-bindaddress
which would take their default from bindaddress and use the null-address
to specify INADDR_ANY?

Leo Baltus, internetbeheerder
NPO ICT Internet Services
Bart de Graaffweg 2, 1217 ZL Hilversum
servicedesk@xxxxxxxxx, 035-6773555

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+