Re: [chrony-users] chronyc command for local chronyd and firewalld seem to interfere

[Ferry de Jong <ferry.de.jong@xxxxxxxxx>]

On Tue, Mar 25, 2014 at 9:37 AM, Miroslav Lichvar <mlichvar@xxxxxxxxxx> wrote:

What does "tcpdump -n -i lo port 323" print when you run chronyc?

working case: (masquerading off)
08:44:55.299481 IP 127.0.0.1.41673 > 127.0.0.1.323: UDP, length 48
08:44:55.299568 IP 127.0.0.1.323 > 127.0.0.1.41673: UDP, length 32
08:44:55.300750 IP 127.0.0.1.41673 > 127.0.0.1.323: UDP, length 92
08:44:55.300831 IP 127.0.0.1.323 > 127.0.0.1.41673: UDP, length 76
08:44:55.566854 IP 127.0.0.1.41673 > 127.0.0.1.323: UDP, length 92
08:44:55.567023 IP 127.0.0.1.323 > 127.0.0.1.41673: UDP, length 76

masquerading situation:

08:48:21.088561 IP 192.168.110.22.33683 > 127.0.0.1.323: UDP, length 48
08:48:22.089761 IP 192.168.110.22.33683 > 127.0.0.1.323: UDP, length 48
08:48:24.091960 IP 192.168.110.22.33683 > 127.0.0.1.323: UDP, length 48

So the source address is being rewritten.

 

If the source address is being rewritten, you will probably need to allow
the address in chrony.conf by the cmdallow directive, by default only
127.0.0.1 and ::1 are allowed.

 

Adding an cmdallow <hostname> solves the problem.

So it seems that the FC20 firewalld behavior is different than the previous firewall rules, where source addresses were not rewritten (lo device addresses where not rewritten in my masquerading FC17 box), If I understand this correctly this is bound to break more applications/daemons listening on 127.0.0.1 if only expecting that same source address too.

 

Also, you could try removing the  bindcmdaddress directives.

That will probably also make it work if the 323/udp traffic is configured to be allowed by the firewalld ruleset.