Re: [chrony-users] firewalling chrony |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
On Thu, Mar 27, 2014 at 02:57:49PM +0100, Leo Baltus wrote:
> This is running nicely now for a couple of hours. I don't see any weird
> things in the logs. It also works nicely over ipv6.
That's good to hear. Thanks.
> The randomness of the source ports is not what I was expecting however.
> Comparing this with DNS it strikes me that source ports are beeing reused.
>
> Looking at the connection table (netstat -anu) the socket stays open:
>
> udp 0 0 145.58.30.x:41649 95.85.59.120:123 ESTABLISHED
> udp 0 0 145.58.30.x:43513 129.250.35.251:123 ESTABLISHED
> udp 0 0 2a02:458:101:30::x:52019 2a02:348:54:5132::1:123 ESTABLISHED
>
> I am not sure if this is intentional.
You mean it should create a new socket with a different port for each
client request? Does any NTP client do that? Currently, the socket is
created just once when the association is initialized and I'm not sure
if it would be worth the overhead (in the local system, NATs,
firewalls).
> > There is one thing I'm not really sure. The code binds all NTP
> > sockets to the address configured by the bindaddress directive. I'm
> > thinking if I should modify it so that only the server sockets are
> > bound to the address and not the client sockets. Anyone knows if there
> > is a use case where it would break things?
>
> Just a thought, I think it could be useful to separate this out on
> different ip-addresses.
Add a new option to the server directive like this?
server a.b.c bindaddress 10.1.1.1
> Maybe you could introduce server-bindaddress and client-bindaddress
> which would take their default from bindaddress and use the null-address
> to specify INADDR_ANY?
I think we could follow the naming convention and introduce
bindacquisitionaddress directive, which would bind only the client
port and be INADDR_ANY by default. But that would be global setting
for all client associations.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.