firewall blocks xntp system time maintenance
SuSE 8.1/cable internet access. I have xntpd running and cannot maintain system time thru SuSEfirewall2. I have: FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" and iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p udp --sport ntp --dport ntp But, neither rule seems to allow ntp access thru the firewall. I know that the firewall is blocking because, if I stop the firewall, ntp will update the system time. # iptables -L | grep ntp DROP udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp spt:ntp dpts:1024:65535 DROP udp -- anywhere anywhere udp dpt:ntp DROP udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp spt:ntp dpts:1024:65535 DROP udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp spt:ntp dpts:1024:65535 Also, SuSE 7.3 gave me firewall logs, /var/log/firewall, but SuSE 8.1 does not. Have I configured something wrong or is it just different? I see that everything that was in firewall (log) is also in messages (I think). -- Patrick Shanahan Registered Linux User #207535 @ http://counter.li.org icq#173753138
On Sun, 1 Dec 2002 09:18 am, SuSEnixER wrote:
SuSE 8.1/cable internet access. I have xntpd running and cannot maintain system time thru SuSEfirewall2.
Try adding these ports for access to time servers FW_SERVICES_EXT_UDP="123 323" Regards, Graham Smith ---------------------------------------------------------
* Graham Smith <gqs@iinet.net.au> [11-30-02 21:40]:
On Sun, 1 Dec 2002 09:18 am, SuSEnixER wrote:
SuSE 8.1/cable internet access. I have xntpd running and cannot maintain system time thru SuSEfirewall2.
Try adding these ports for access to time servers FW_SERVICES_EXT_UDP="123 323"
I do not understand port:323, but port:123 did allow communication and updating the system time. I used domain#:port# instead of just opening the port. I still do not receive separate 'firewall' logs and cannot find an option to enable them, or at least to enable them separately from 'messages' as is/WAS the case in SuSE 7.3. tks Graham Smith, -- Patrick Shanahan Registered Linux User #207535 @ http://counter.li.org icq#173753138
* SuSEnixER; <WideGlide@MyRealBox.com> on 01 Dec, 2002 wrote:
* Graham Smith <gqs@iinet.net.au> [11-30-02 21:40]: I do not understand port:323, but port:123 did allow communication and updating the system time. I used domain#:port# instead of just opening the port.
I would have placed under FW_TRUSTED_NETS as FW_TRUSTED_NETS="ip_of_ntp_server,udp,123"
I still do not receive separate 'firewall' logs and cannot find an option to enable them, or at least to enable them separately from 'messages' as is/WAS the case in SuSE 7.3.
The installation of the SuSEfirewall2 should have sent a warning mail to root which basically says the following Formerly, the postinstall script of SuSEfirewall2 automatically added an entry kern.* -/var/log/firewall to your /etc/syslog.conf file to send firewall related syslog message into the /var/log/firewall file. This is not done any longer. Add this line yourself if you like. Hope this helps -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Mon, 2 Dec 2002 01:20 am, SuSEnixER wrote:
I do not understand port:323, but port:123 did allow communication and updating the system time. I used domain#:port# instead of just opening the port.
I still do not receive separate 'firewall' logs and cannot find an option to enable them, or at least to enable them separately from 'messages' as is/WAS the case in SuSE 7.3.
tks Graham Smith,
Opps, I just grabbed the setting I had, Port 123 is the correct port. Port 323 I use for something else. Sorry about that, comes from working too late and not enought coffee. -- Regards, Graham Smith ---------------------------------------------------------
The 02.12.01 at 09:20, SuSEnixER wrote:
I still do not receive separate 'firewall' logs and cannot find an option to enable them, or at least to enable them separately from 'messages' as is/WAS the case in SuSE 7.3.
Edit the file "/etc/syslog.conf", and add this line: kern.* -/var/log/kernel (or "firewall", but I prefer "kernel") Then edit this line: #*.*;mail.none;news.none -/var/log/messages and change it to something like this one so that kernel messages do not go to the general log (they can be megabytes long in minutes in case of some problems): *.*;kern.none;mail.none;news.none -/var/log/messages After doing those modifications, restart syslog (rcsyslog restart). Also, make sure the firewall or kernel message file is included in "/etc/logrotate.d/syslog" (I don't know if it was, because I modified it). -- Cheers, Carlos Robinson
Op maandag 2 december 2002 00:06, schreef SuSEnixER:
* Richard Bos <allabos@freeler.nl> [12-01-02 17:48]:
Hi,
I have the same problems as about a week ago that kmail is crashing when a message is being deleted and kmail is used in thread mode.
Anyone else encountering this problem? It started after attempting to delete a message that was posted at Sunday evening around 2300 hours.
Delete the 'index' files in your ~/mail/directory. Kmail will regenerate new ones. Seems that an ill-formed message can play havoc with them.
Hello Patrick, it's a message coming from you that is causing the problem. I've attached the located the exact message, please try to remember how you composed the message. Hopefully you can prevent composing messages that way. Because of it I now get email belonging to thread "firewall blocks xntp system time maintenance" mixed with "kmail trashing again" :( -- Richard Bos Without a home the journey is endless
And now this message goes to the wrong thread as well. That's because of the wrong In-Reply-ID I guess :(( Op maandag 2 december 2002 10:46, schreef Richard Bos:
Op maandag 2 december 2002 00:06, schreef SuSEnixER:
* Richard Bos <allabos@freeler.nl> [12-01-02 17:48]:
Hi,
I have the same problems as about a week ago that kmail is crashing when a message is being deleted and kmail is used in thread mode.
Anyone else encountering this problem? It started after attempting to delete a message that was posted at Sunday evening around 2300 hours.
Delete the 'index' files in your ~/mail/directory. Kmail will regenerate new ones. Seems that an ill-formed message can play havoc with them.
Hello Patrick,
it's a message coming from you that is causing the problem. I've attached the located the exact message, please try to remember how you composed the message. Hopefully you can prevent composing messages that way.
Because of it I now get email belonging to thread "firewall blocks xntp system time maintenance" mixed with "kmail trashing again" :(
-- Richard Bos Without a home the journey is endless
participants (5)
-
Carlos E. R. -
Graham Smith -
Richard Bos -
SuSEnixER -
Togan Muftuoglu