Re: [chrony-users] chronyc command for local chronyd and firewalld seem to interfere

[ Thread Index | Date Index | More Archives ]

On Tue, Mar 25, 2014 at 9:37 AM, Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:

What does "tcpdump -n -i lo port 323" print when you run chronyc?

working case: (masquerading off)
08:44:55.299481 IP > UDP, length 48
08:44:55.299568 IP > UDP, length 32
08:44:55.300750 IP > UDP, length 92
08:44:55.300831 IP > UDP, length 76
08:44:55.566854 IP > UDP, length 92
08:44:55.567023 IP > UDP, length 76

masquerading situation:

08:48:21.088561 IP > UDP, length 48
08:48:22.089761 IP > UDP, length 48
08:48:24.091960 IP > UDP, length 48

So the source address is being rewritten.

If the source address is being rewritten, you will probably need to allow
the address in chrony.conf by the cmdallow directive, by default only and ::1 are allowed.
Adding an cmdallow <hostname> solves the problem.
So it seems that the FC20 firewalld behavior is different than the previous firewall rules, where source addresses were not rewritten (lo device addresses where not rewritten in my masquerading FC17 box), If I understand this correctly this is bound to break more applications/daemons listening on if only expecting that same source address too.
Also, you could try removing the  bindcmdaddress directives.

That will probably also make it work if the 323/udp traffic is configured to be allowed by the firewalld ruleset.

Mail converted by MHonArc 2.6.19+