Re: [chrony-users] firewalling chrony

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] firewalling chrony
From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date: Tue, 1 Apr 2014 17:57:52 +0200

On Thu, Mar 27, 2014 at 02:57:49PM +0100, Leo Baltus wrote:
> This is running nicely now for a couple of hours. I don't see any weird
> things in the logs. It also works nicely over ipv6.

That's good to hear. Thanks.

> The randomness of the source ports is not what I was expecting however.
> Comparing this with DNS it strikes me that source ports are beeing reused.
> 
> Looking at the connection table (netstat -anu) the socket stays open:
> 
> udp  0  0 145.58.30.x:41649         95.85.59.120:123            ESTABLISHED 
> udp  0  0 145.58.30.x:43513         129.250.35.251:123          ESTABLISHED 
> udp  0  0 2a02:458:101:30::x:52019  2a02:348:54:5132::1:123     ESTABLISHED 
> 
> I am not sure if this is intentional.

You mean it should create a new socket with a different port for each
client request? Does any NTP client do that? Currently, the socket is
created just once when the association is initialized and I'm not sure
if it would be worth the overhead (in the local system, NATs,
firewalls).

> > There is one thing I'm not really sure. The code binds all NTP
> > sockets to the address configured by the bindaddress directive. I'm
> > thinking if I should modify it so that only the server sockets are
> > bound to the address and not the client sockets. Anyone knows if there
> > is a use case where it would break things?
> 
> Just a thought, I think it could be useful to separate this out on
> different ip-addresses.

Add a new option to the server directive like this?

server a.b.c bindaddress 10.1.1.1

> Maybe you could introduce server-bindaddress and client-bindaddress
> which would take their default from bindaddress and use the null-address
> to specify INADDR_ANY?

I think we could follow the naming convention and introduce
bindacquisitionaddress directive, which would bind only the client
port and be INADDR_ANY by default. But that would be global setting
for all client associations.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-users] firewalling chrony
  - From: Leo Baltus

Messages sorted by: [ date | thread ]
Next by Date: Re: [chrony-users] firewalling chrony
Next by thread: Re: [chrony-users] firewalling chrony

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/