|Re: [chrony-users] firewalling chrony|
[ Thread Index |
| More chrony.tuxfamily.org/chrony-users Archives
Op 25/03/2014 om 15:45:35 +0100, schreef Miroslav Lichvar:
> On Tue, Mar 04, 2014 at 03:25:16PM +0100, Leo Baltus wrote:
> > I'll cowardly wait for the 'separate sockets for each configured server'
> > patch as I don't feel confident enough to do it myself.
> This is now implemented in git. Can you please test it?
This is running nicely now for a couple of hours. I don't see any weird
things in the logs. It also works nicely over ipv6.
The randomness of the source ports is not what I was expecting however.
Comparing this with DNS it strikes me that source ports are beeing reused.
Looking at the connection table (netstat -anu) the socket stays open:
udp 0 0 145.58.30.x:41649 126.96.36.199:123 ESTABLISHED
udp 0 0 145.58.30.x:43513 188.8.131.52:123 ESTABLISHED
udp 0 0 2a02:458:101:30::x:52019 2a02:348:54:5132::1:123 ESTABLISHED
I am not sure if this is intentional.
> I saw some reports that some ISPs are now blocking incoming packets
> with destination port 123 to prevent the NTP amplification attacks, so
> I think this feature will now be even more useful and should be
> enabled by default.
> The client port number is set by the acquisitionport directive. With 0
> (the default), for each configured server there is a separate
> connected socket. With non-zero acquisitionport a common socket is
> used for all servers and if acquisitionport is equal to the server
> port, one socket (per address family) is used for all packets as
> There is one thing I'm not really sure. The code binds all NTP
> sockets to the address configured by the bindaddress directive. I'm
> thinking if I should modify it so that only the server sockets are
> bound to the address and not the client sockets. Anyone knows if there
> is a use case where it would break things?
Just a thought, I think it could be useful to separate this out on
Maybe you could introduce server-bindaddress and client-bindaddress
which would take their default from bindaddress and use the null-address
to specify INADDR_ANY?
Leo Baltus, internetbeheerder
NPO ICT Internet Services
Bart de Graaffweg 2, 1217 ZL Hilversum
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.