|Re: [chrony-users] firewalling chrony|
[ Thread Index |
| More chrony.tuxfamily.org/chrony-users Archives
Op 01/04/2014 om 17:57:52 +0200, schreef Miroslav Lichvar:
> On Thu, Mar 27, 2014 at 02:57:49PM +0100, Leo Baltus wrote:
> > This is running nicely now for a couple of hours. I don't see any weird
> > things in the logs. It also works nicely over ipv6.
> That's good to hear. Thanks.
> > The randomness of the source ports is not what I was expecting however.
> > Comparing this with DNS it strikes me that source ports are beeing reused.
> > Looking at the connection table (netstat -anu) the socket stays open:
> > udp 0 0 145.58.30.x:41649 126.96.36.199:123 ESTABLISHED
> > udp 0 0 145.58.30.x:43513 188.8.131.52:123 ESTABLISHED
> > udp 0 0 2a02:458:101:30::x:52019 2a02:348:54:5132::1:123 ESTABLISHED
> > I am not sure if this is intentional.
> You mean it should create a new socket with a different port for each
> client request? Does any NTP client do that? Currently, the socket is
> created just once when the association is initialized and I'm not sure
> if it would be worth the overhead (in the local system, NATs,
> > > There is one thing I'm not really sure. The code binds all NTP
> > > sockets to the address configured by the bindaddress directive. I'm
> > > thinking if I should modify it so that only the server sockets are
> > > bound to the address and not the client sockets. Anyone knows if there
> > > is a use case where it would break things?
> > Just a thought, I think it could be useful to separate this out on
> > different ip-addresses.
> Add a new option to the server directive like this?
> server a.b.c bindaddress 10.1.1.1
I meant 1 bindaddress for client-sockets and 1 bindaddress for
> > Maybe you could introduce server-bindaddress and client-bindaddress
> > which would take their default from bindaddress and use the null-address
> > to specify INADDR_ANY?
> I think we could follow the naming convention and introduce
> bindacquisitionaddress directive, which would bind only the client
> port and be INADDR_ANY by default. But that would be global setting
> for all client associations.
But I must add that I don't have any use for it.
Leo Baltus, internetbeheerder
NPO ICT Internet Services
Bart de Graaffweg 2, 1217 ZL Hilversum
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.