Re: [chrony-users] firewalling chrony

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


Op 01/04/2014 om 17:57:52 +0200, schreef Miroslav Lichvar:
> On Thu, Mar 27, 2014 at 02:57:49PM +0100, Leo Baltus wrote:
> > This is running nicely now for a couple of hours. I don't see any weird
> > things in the logs. It also works nicely over ipv6.
> 
> That's good to hear. Thanks.
> 
> > The randomness of the source ports is not what I was expecting however.
> > Comparing this with DNS it strikes me that source ports are beeing reused.
> > 
> > Looking at the connection table (netstat -anu) the socket stays open:
> > 
> > udp  0  0 145.58.30.x:41649         95.85.59.120:123            ESTABLISHED 
> > udp  0  0 145.58.30.x:43513         129.250.35.251:123          ESTABLISHED 
> > udp  0  0 2a02:458:101:30::x:52019  2a02:348:54:5132::1:123     ESTABLISHED 
> > 
> > I am not sure if this is intentional.
> 
> You mean it should create a new socket with a different port for each
> client request? Does any NTP client do that? Currently, the socket is
> created just once when the association is initialized and I'm not sure
> if it would be worth the overhead (in the local system, NATs,
> firewalls).
> 

Ok.

> > > There is one thing I'm not really sure. The code binds all NTP
> > > sockets to the address configured by the bindaddress directive. I'm
> > > thinking if I should modify it so that only the server sockets are
> > > bound to the address and not the client sockets. Anyone knows if there
> > > is a use case where it would break things?
> > 
> > Just a thought, I think it could be useful to separate this out on
> > different ip-addresses.
> 
> Add a new option to the server directive like this?
> 
> server a.b.c bindaddress 10.1.1.1

I meant 1 bindaddress for client-sockets and 1 bindaddress for
server-sockets.

> 
> > Maybe you could introduce server-bindaddress and client-bindaddress
> > which would take their default from bindaddress and use the null-address
> > to specify INADDR_ANY?
> 
> I think we could follow the naming convention and introduce
> bindacquisitionaddress directive, which would bind only the client
> port and be INADDR_ANY by default. But that would be global setting
> for all client associations.
> 

Yes.

But I must add that I don't have any use for it.


-- 
Leo Baltus, internetbeheerder
NPO ICT Internet Services
Bart de Graaffweg 2, 1217 ZL Hilversum
servicedesk@xxxxxxxxx, 035-6773555

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/