[opensuse] ntp question
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How can it be that a server type machine, after 22 hours running continuously since boot, has ntp still in INIT state? I noticed it when running "rcntp status" on another machine in the same LAN: Telcontar:~ # rcntp status remote refid st t when poll reach delay offset jitter ============================================================================== LOCAL(0) .LOCL. 10 l 1266 64 0 0.000 0.000 0.000 AmonLanc.valino .INIT. 16 u - 1024 0 0.000 0.000 0.000 ... That says that it consider my local server, AmonLanc.valinor, to be stratum 16, unreliable! AmonLanc:~ # systemctl status ntpd.service ntp.service - LSB: Network time protocol daemon (ntpd) Loaded: loaded (/etc/init.d/ntp) Drop-In: /run/systemd/generator/ntp.service.d └─50-insserv.conf-$time.conf Active: active (running) since Wed 2016-03-16 11:38:56 CET; 22h ago Process: 2193 ExecStart=/etc/init.d/ntp start (code=exited, status=0/SUCCESS) CGroup: /system.slice/ntp.service └─2253 /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -i /var/lib/ntp -c /etc/ntp.conf Mar 16 11:38:56 AmonLanc ntpd[2251]: ntpd 4.2.6p5@1.2349-o Mon Apr 20 13:44:53 UTC 2015 (1) Mar 16 11:38:56 AmonLanc ntp[2193]: Starting network time protocol daemon (NTPD)..done Mar 16 11:38:56 AmonLanc ntpd[2253]: proto: precision = 0.389 usec Mar 16 11:38:56 AmonLanc ntpd[2253]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16 Mar 16 11:38:56 AmonLanc ntpd[2253]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Mar 16 11:38:56 AmonLanc systemd[1]: Started LSB: Network time protocol daemon (ntpd). Mar 16 11:38:56 AmonLanc ntpd[2253]: Listen and drop on 1 v6wildcard :: UDP 123 Mar 16 11:38:56 AmonLanc ntpd[2253]: Listen normally on 2 lo 127.0.0.1 UDP 123 Mar 16 11:38:56 AmonLanc ntpd[2253]: Listen normally on 3 eth0 192.168.1.15 UDP 123 Mar 16 11:38:56 AmonLanc ntpd[2253]: Listen normally on 4 eth0 fe80::203:dff:fe05:17fc UDP 123 Mar 16 11:38:56 AmonLanc ntpd[2253]: Listen normally on 5 lo ::1 UDP 123 Mar 16 11:38:56 AmonLanc ntpd[2253]: peers refreshed Mar 16 11:38:56 AmonLanc ntpd[2253]: Listening on routing socket on fd #22 for interface updates Mar 16 11:38:56 AmonLanc ntpd[2253]: logging to file /var/log/ntp AmonLanc:~ # The ntp log only contains this for the current session: 16 Mar 11:27:18 ntpd[2640]: ntpd exiting on signal 15 16 Mar 11:32:45 ntpd[2295]: 0.0.0.0 c016 06 restart 16 Mar 11:32:45 ntpd[2295]: 0.0.0.0 c012 02 freq_set kernel -39.538 PPM 16 Mar 11:32:51 ntpd[2295]: Listen normally on 6 eth0 fc00::203:dff:fe05:17fc UDP 123 16 Mar 11:32:51 ntpd[2295]: Listen normally on 7 eth0 fc00::5856:d05c:16a3:8e16 UDP 123 16 Mar 11:32:51 ntpd[2295]: peers refreshed 16 Mar 11:32:51 ntpd[2295]: new interface(s) found: waking up resolver 16 Mar 11:35:03 ntpd[2295]: ntpd exiting on signal 15 16 Mar 11:38:57 ntpd[2253]: 0.0.0.0 c016 06 restart 16 Mar 11:38:57 ntpd[2253]: 0.0.0.0 c012 02 freq_set kernel -39.538 PPM 16 Mar 11:39:06 ntpd[2253]: Listen normally on 6 eth0 fc00::21e9:7f82:3220:fcad UDP 123 16 Mar 11:39:06 ntpd[2253]: Listen normally on 7 eth0 fc00::203:dff:fe05:17fc UDP 123 16 Mar 11:39:06 ntpd[2253]: peers refreshed 16 Mar 11:39:06 ntpd[2253]: new interface(s) found: waking up resolver 16 Mar 11:42:15 ntpd[2253]: 0.0.0.0 c615 05 clock_sync I don't know this moment how to find out what is hapening. I'm using 13.1. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlbqbwcACgkQtTMYHG2NR9WJgwCcD3Po6vZXndtM5P1k9qZmkZXX MLIAnAtthlkd07yKN1tjxBKb0uhQnScl =aNcV -----END PGP SIGNATURE-----
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
How can it be that a server type machine, after 22 hours running continuously since boot, has ntp still in INIT state?
You know the answer Carlos :-) because it hasn't managed to get a time signal from the ntp server. Run a tcpdump on port 123 to see the time traffic flowing back and forth. Maybe also clarify for us which is the ntp server and which is the client that doesn't sync. -- Per Jessen, Zürich (2.6°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-03-17 09:57, Per Jessen wrote:
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
How can it be that a server type machine, after 22 hours running continuously since boot, has ntp still in INIT state?
You know the answer Carlos :-) because it hasn't managed to get a time signal from the ntp server.
That can't be. monLanc:~ # rcntp status remote refid st t when poll reach delay offset jitter ============================================================================== Telcontar.valin .INIT. 16 u - 1024 0 0.000 0.000 0.000 -hora.ngn.rima-t 172.20.47.7 5 u 959 1024 377 14.444 0.862 2.787 *ntp.redimadrid. 193.147.107.33 2 u 43 1024 377 18.967 -0.387 0.586 +arthur.testserv 162.23.41.56 2 u 899 1024 377 57.548 0.607 0.346 -ntp.univ-angers 145.238.203.14 2 u 801 1024 337 60.726 -9.548 0.452 -x.ns.gin.ntt.ne 249.224.99.213 2 u 1051 1024 377 14.542 -9.265 1.013 +ms21.snowflakeh 162.23.41.55 2 u 732 1024 377 52.480 1.064 0.552 -62-210-28-176.r 84.255.209.79 4 u 990 1024 377 41.430 -4.797 0.778 -dnscache-london 145.238.203.14 2 u 1026 1024 377 57.125 -2.019 1.138 The asterisk means it is syncing to that machine.
Run a tcpdump on port 123 to see the time traffic flowing back and forth.
Yes, there is some. AmonLanc:~ # tcpdump port 123 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:09:46.474278 IP AmonLanc.valinor.ntp > arthur.testserver.li.ntp: NTPv4, Client, length 48 10:09:46.532068 IP arthur.testserver.li.ntp > AmonLanc.valinor.ntp: NTPv4, Server, length 48 10:10:09.618938 IP Telcontar.valinor.ntp > AmonLanc.valinor.ntp: NTPv4, Client, length 48 10:11:14.619002 IP Telcontar.valinor.ntp > AmonLanc.valinor.ntp: NTPv4, Client, length 48 10:11:38.474259 IP AmonLanc.valinor.ntp > ntp.univ-angers.fr.ntp: NTPv4, Client, length 48 10:11:38.536738 IP ntp.univ-angers.fr.ntp > AmonLanc.valinor.ntp: NTPv4, Server, length 48
Maybe also clarify for us which is the ntp server and which is the client that doesn't sync.
AmonLanc is the server, Telcontar is the client. The client says that the server is in INIT state and will not use it. And the server says the same of the client, see output above. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. [17.03.2016 10:13]:
On 2016-03-17 09:57, Per Jessen wrote:
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
How can it be that a server type machine, after 22 hours running continuously since boot, has ntp still in INIT state?
You know the answer Carlos :-) because it hasn't managed to get a time signal from the ntp server.
That can't be.
monLanc:~ # rcntp status remote refid st t when poll reach delay offset jitter ============================================================================== Telcontar.valin .INIT. 16 u - 1024 0 0.000 0.000 0.000 -hora.ngn.rima-t 172.20.47.7 5 u 959 1024 377 14.444 0.862 2.787 *ntp.redimadrid. 193.147.107.33 2 u 43 1024 377 18.967 -0.387 0.586 +arthur.testserv 162.23.41.56 2 u 899 1024 377 57.548 0.607 0.346 -ntp.univ-angers 145.238.203.14 2 u 801 1024 337 60.726 -9.548 0.452 -x.ns.gin.ntt.ne 249.224.99.213 2 u 1051 1024 377 14.542 -9.265 1.013 +ms21.snowflakeh 162.23.41.55 2 u 732 1024 377 52.480 1.064 0.552 -62-210-28-176.r 84.255.209.79 4 u 990 1024 377 41.430 -4.797 0.778 -dnscache-london 145.238.203.14 2 u 1026 1024 377 57.125 -2.019 1.138
You did not show *this* output in your first mail. There were only two lines, stating that host AmonLanc.valino has not yet been reached. In this output, host Telcontar.valin has never been reached.
The asterisk means it is syncing to that machine.
It means that this ntp server offers best quality. Other good servers are marked with a '+', bad servers get a '-'. The classification of 'good' and 'bad' can change every now and then, dependig on the network quality and other factors.
Maybe also clarify for us which is the ntp server and which is the client that doesn't sync.
AmonLanc is the server, Telcontar is the client. The client says that the server is in INIT state and will not use it. And the server says the same of the client, see output above.
If Telcontar is a client, why does it show up in the given list? If AmonLanc is the server, why does it *not* show up in the given list? Judging from the output you show in this post, it is other way round. Werner -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-03-17 10:23, Werner Flamme wrote:
Carlos E. R. [17.03.2016 10:13]:
You know the answer Carlos :-) because it hasn't managed to get a time signal from the ntp server.
That can't be.
monLanc:~ # rcntp status remote refid st t when poll reach delay offset jitter ============================================================================== Telcontar.valin .INIT. 16 u - 1024 0 0.000 0.000 0.000 -hora.ngn.rima-t 172.20.47.7 5 u 959 1024 377 14.444 0.862 2.787 *ntp.redimadrid. 193.147.107.33 2 u 43 1024 377 18.967 -0.387 0.586 +arthur.testserv 162.23.41.56 2 u 899 1024 377 57.548 0.607 0.346 -ntp.univ-angers 145.238.203.14 2 u 801 1024 337 60.726 -9.548 0.452 -x.ns.gin.ntt.ne 249.224.99.213 2 u 1051 1024 377 14.542 -9.265 1.013 +ms21.snowflakeh 162.23.41.55 2 u 732 1024 377 52.480 1.064 0.552 -62-210-28-176.r 84.255.209.79 4 u 990 1024 377 41.430 -4.797 0.778 -dnscache-london 145.238.203.14 2 u 1026 1024 377 57.125 -2.019 1.138
You did not show *this* output in your first mail. There were only two lines, stating that host AmonLanc.valino has not yet been reached. In this output, host Telcontar.valin has never been reached.
Both machines say the same: AmonLanc:~ # ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== Telcontar.valin .INIT. 16 u - 1024 0 0.000 0.000 0.000 ... Telcontar:~ # ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== LOCAL(0) .LOCL. 10 l 74m 64 0 0.000 0.000 0.000 AmonLanc.valino .INIT. 16 u - 1024 0 0.000 0.000 0.000 ... the rest of the output I'm not insterested in, so I removed it. That's the meaning of the "...".
AmonLanc is the server, Telcontar is the client. The client says that the server is in INIT state and will not use it. And the server says the same of the client, see output above.
If Telcontar is a client, why does it show up in the given list? If AmonLanc is the server, why does it *not* show up in the given list? Judging from the output you show in this post, it is other way round.
Both machines are configured to use the other machine as client, but only AmonLanc is up full time, so I consider that one "server". The problem is here: # Access control configuration; see /usr/share/doc/packages/ntp/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust There is no access to machines in the LAN? This configuration is not mine, it was recommended after a vulnerability bug. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Thu, Mar 17, 2016 at 12:13 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
AmonLanc:~ # tcpdump port 123 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:09:46.474278 IP AmonLanc.valinor.ntp > arthur.testserver.li.ntp: NTPv4, Client, length 48 10:09:46.532068 IP arthur.testserver.li.ntp > AmonLanc.valinor.ntp: NTPv4, Server, length 48 10:10:09.618938 IP Telcontar.valinor.ntp > AmonLanc.valinor.ntp: NTPv4, Client, length 48 10:11:14.619002 IP Telcontar.valinor.ntp > AmonLanc.valinor.ntp: NTPv4, Client, length 48 10:11:38.474259 IP AmonLanc.valinor.ntp > ntp.univ-angers.fr.ntp: NTPv4, Client, length 48 10:11:38.536738 IP ntp.univ-angers.fr.ntp > AmonLanc.valinor.ntp: NTPv4, Server, length 48
Maybe also clarify for us which is the ntp server and which is the client that doesn't sync.
AmonLanc is the server, Telcontar is the client.
There is no answer from AmonLac to Telcontar. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-03-17 10:37, Andrei Borzenkov wrote:
On Thu, Mar 17, 2016 at 12:13 PM, Carlos E. R. <> wrote:
AmonLanc is the server, Telcontar is the client.
There is no answer from AmonLac to Telcontar.
Ok... but why? The firewall is open to ntp. The ntp configuration is this, and it comes in the default config, I just looked: # By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust #·················++- This is supposed to grant time access to anybody, not just my LAN. And those in my LAN also get unlimited access (which is not needed to get the time) if they are authenticated. I'm reading <http://support.ntp.org/bin/view/Support/AccessRestrictions> -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Thu, Mar 17, 2016 at 12:49 PM, Carlos E. R. <robin.listas@gmail.com> wrote:
On 2016-03-17 10:37, Andrei Borzenkov wrote:
On Thu, Mar 17, 2016 at 12:13 PM, Carlos E. R. <> wrote:
AmonLanc is the server, Telcontar is the client.
There is no answer from AmonLac to Telcontar.
Ok... but why?
You seriously expect to get an answer based on information you provided? Show full /etc/ntp.conf as well as full "iptables -L -n -v" (and probably "iptables -L -n -v -t nat") and "ip addr list" and "ip route" from both client and server.
The firewall is open to ntp.
The ntp configuration is this, and it comes in the default config, I just looked:
# By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
# Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust #·················++-
This is supposed to grant time access to anybody, not just my LAN. And those in my LAN also get unlimited access (which is not needed to get the time) if they are authenticated.
I'm reading <http://support.ntp.org/bin/view/Support/AccessRestrictions>
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-03-17 10:59, Andrei Borzenkov wrote:
On Thu, Mar 17, 2016 at 12:49 PM, Carlos E. R. <> wrote:
There is no answer from AmonLac to Telcontar.
Ok... but why?
You seriously expect to get an answer based on information you provided?
well, yes, but you can ask whatever you think you need :-) There was a post with a tcpdump that displayed packets going through between these two machines.
Show full /etc/ntp.conf as well as full "iptables -L -n -v" (and probably "iptables -L -n -v -t nat") and "ip addr list" and "ip route" from both client and server.
Server: AmonLanc:~ # cat /etc/ntp.conf | egrep -v "^[[:space:]]*$|^#" restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1 restrict 192.168.1.0 mask 255.255.255.0 notrust driftfile /var/lib/ntp/drift/ntp.drift logfile /var/log/ntp logconfig =all keys /etc/ntp.keys trustedkey 1 requestkey 1 server telcontar.valinor iburst server hora.ngn.rima-tde.net server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org server 3.pool.ntp.org server 0.ch.pool.ntp.org server 0.fr.pool.ntp.org server 0.uk.pool.ntp.org server 0.es.pool.ntp.org server 1.ch.pool.ntp.org server 1.fr.pool.ntp.org server 1.uk.pool.ntp.org server 1.es.pool.ntp.org AmonLanc:~ # AmonLanc:~ # iptables -L -n -v | less -S Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 24431 1399K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 2598K 470M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED 13774 1581K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED 29216 1646K input_ext all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-IN-ILL- 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-FWD-ILL Chain OUTPUT (policy ACCEPT 4173K packets, 4466M bytes) pkts bytes target prot opt in out source destination 24431 1399K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 Chain forward_ext (0 references) pkts bytes target prot opt in out source destination Chain input_ext (1 references) pkts bytes target prot opt in out source destination 20 1884 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast udp dpt:137 394 96573 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast udp dpt:138 30 8123 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT udp -- * * 192.168.1.1 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT icmp -- * * 192.168.1.1 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 192.168.1.1 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:162 6057 509K ACCEPT udp -- * * 192.168.1.5 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT icmp -- * * 192.168.1.5 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 192.168.1.5 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:162 0 0 ACCEPT udp -- * * 192.168.1.5 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:162 0 0 ACCEPT udp -- * * 192.168.1.14 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT tcp -- * * 192.168.1.14 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:514 0 0 ACCEPT udp -- * * 192.168.1.14 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:6666 0 0 ACCEPT icmp -- * * 192.168.1.14 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.1.14 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:4000 10426 626K ACCEPT tcp -- * * 192.168.1.14 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:4080 0 0 ACCEPT tcp -- * * 192.168.1.14 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:4001 0 0 ACCEPT udp -- * * 192.168.1.14 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:162 0 0 ACCEPT tcp -- * * 192.168.1.14 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:8000 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:4000 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:4080 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:4001 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 ctstate RELATED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 7 448 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 122 9272 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:48978 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53817 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:48978 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53817 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:20048 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20048 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:33609 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:52015 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:33609 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:52015 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 0 0 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0 udp dpt:2049 0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:2049 12153 395K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INext-D 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix " 7 595 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject_func (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable AmonLanc:~ # AmonLanc:~ # iptables -L -n -v -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination AmonLanc:~ # AmonLanc:~ # ip addr list 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:03:0d:05:17:fc brd ff:ff:ff:ff:ff:ff inet 192.168.1.15/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fc00::b931:da91:ba4f:eb11/64 scope global temporary dynamic valid_lft 292sec preferred_lft 112sec inet6 fc00::21e9:7f82:3220:fcad/64 scope global temporary deprecated dynamic valid_lft 292sec preferred_lft 0sec inet6 fc00::203:dff:fe05:17fc/64 scope global dynamic valid_lft 292sec preferred_lft 112sec inet6 fe80::203:dff:fe05:17fc/64 scope link valid_lft forever preferred_lft forever AmonLanc:~ # ip route default via 192.168.1.1 dev eth0 127.0.0.0/8 dev lo scope link 169.254.0.0/16 dev eth0 scope link 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.15 AmonLanc:~ # Client: Telcontar:~ # cat /etc/ntp.conf | egrep -v "^[[:space:]]*$|^#" server 127.127.1.0 # local clock (LCL) fudge 127.127.1.0 stratum 10 # LCL is unsynchronized restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1 restrict 192.168.1.0 mask 255.255.255.0 notrust server AmonLanc.valinor iburst server hora.ngn.rima-tde.net server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org server 3.pool.ntp.org server 0.ch.pool.ntp.org server 0.fr.pool.ntp.org server 0.uk.pool.ntp.org server 0.es.pool.ntp.org server 1.ch.pool.ntp.org server 1.fr.pool.ntp.org server 1.uk.pool.ntp.org server 1.es.pool.ntp.org driftfile /var/lib/ntp/drift/ntp.drift # path for drift file logfile /var/log/ntp # alternate log file logconfig =all statsdir /var/log/ntpstat/ # directory for statistics files filegen peerstats file peerstats type day enable filegen loopstats file loopstats type day enable filegen clockstats file clockstats type day enable keys /etc/ntp.keys # path for keys file trustedkey 1 # define trusted keys requestkey 1 # key (7) for accessing server variables Telcontar:~ # iptables -L -n -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 55720 24M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 212K 249M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED 4 340 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED 0 0 input_int all -- vmnet8 * 0.0.0.0/0 0.0.0.0/0 0 0 input_int all -- vmnet1 * 0.0.0.0/0 0.0.0.0/0 1990 79889 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-IN-ILL-TARGET " 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-FWD-ILL-ROUTING " Chain OUTPUT (policy ACCEPT 201K packets, 14M bytes) pkts bytes target prot opt in out source destination 55720 24M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1011 LOG flags 0 level 4 prefix "Do not talk home: " 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1011 reject-with icmp-port-unreachable Chain forward_ext (0 references) pkts bytes target prot opt in out source destination Chain forward_int (0 references) pkts bytes target prot opt in out source destination Chain input_ext (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast udp dpt:137 57 13984 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast udp dpt:138 2 666 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT udp -- * * 192.168.1.1 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT icmp -- * * 192.168.1.1 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 192.168.1.5 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT icmp -- * * 192.168.1.5 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 192.168.1.6 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT icmp -- * * 192.168.1.6 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 192.168.1.29 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT icmp -- * * 192.168.1.29 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.1.2 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:445 0 0 ACCEPT tcp -- * * 192.168.1.2 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:139 0 0 ACCEPT udp -- * * 192.168.1.2 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:138 0 0 ACCEPT udp -- * * 192.168.1.2 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:137 0 0 ACCEPT udp -- * * 192.168.1.3 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:5353 0 0 ACCEPT udp -- * * 192.168.1.11 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:53 0 0 ACCEPT udp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:37 0 0 ACCEPT tcp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:445 0 0 ACCEPT tcp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:139 0 0 ACCEPT udp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:138 0 0 ACCEPT udp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:137 0 0 ACCEPT tcp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:873 0 0 ACCEPT tcp -- * * 192.168.1.14 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:53 0 0 ACCEPT udp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:53 0 0 ACCEPT tcp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:25 1 60 ACCEPT tcp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:25 0 0 ACCEPT tcp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT udp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT tcp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:514 0 0 ACCEPT udp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:6666 0 0 ACCEPT icmp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.1.32 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:2049 0 0 ACCEPT tcp -- * * 192.168.1.50 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:445 0 0 ACCEPT tcp -- * * 192.168.1.50 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:139 0 0 ACCEPT udp -- * * 192.168.1.50 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:138 0 0 ACCEPT udp -- * * 192.168.1.50 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:137 0 0 ACCEPT tcp -- * * 192.168.1.50 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:80 0 0 ACCEPT tcp -- * * 192.168.1.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:631 0 0 ACCEPT udp -- * * 192.168.1.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:631 0 0 ACCEPT tcp -- * * 192.168.1.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:80 0 0 ACCEPT tcp -- * * 192.168.1.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.74.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:445 0 0 ACCEPT tcp -- * * 192.168.74.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:139 0 0 ACCEPT udp -- * * 192.168.74.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:138 0 0 ACCEPT udp -- * * 192.168.74.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:137 0 0 ACCEPT tcp -- * * 192.168.1.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:631 0 0 ACCEPT udp -- * * 192.168.1.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:631 0 0 ACCEPT tcp -- * * 192.168.1.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:80 0 0 ACCEPT tcp -- * * 192.168.1.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.74.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:445 0 0 ACCEPT tcp -- * * 192.168.74.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:139 0 0 ACCEPT udp -- * * 192.168.74.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:138 0 0 ACCEPT udp -- * * 192.168.74.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:137 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:143 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:993 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:80 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpts:30000:30100 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:2049 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:873 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:143 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:993 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpts:30000:30100 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:2049 0 0 ACCEPT tcp -- * * 192.168.1.131 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpts:30000:30100 0 0 ACCEPT tcp -- * * 192.168.1.131 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:2049 0 0 ACCEPT tcp -- * * 192.168.74.125 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:445 0 0 ACCEPT tcp -- * * 192.168.74.125 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:139 0 0 ACCEPT udp -- * * 192.168.74.125 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:138 0 0 ACCEPT udp -- * * 192.168.74.125 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:137 0 0 ACCEPT tcp -- * * 192.168.74.127 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:22 0 0 ACCEPT udp -- * * 172.26.0.0/16 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0 udp spt:137 ctstate RELATED 0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp spt:21 ctstate RELATED 0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp spt:20 ctstate RELATED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1720 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:30000:30010 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4664 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1720 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:5060:5100 10 1865 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4674 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4667 2 126 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 33 2508 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:49021 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:50029 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:49021 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:50029 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:59316 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:52361 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:59316 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:52361 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2049 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2049 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:20048 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20048 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 0 0 ACCEPT udp -- * * 192.168.1.0/24 0.0.0.0/0 udp dpt:2049 0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:2049 0 0 ACCEPT udp -- * * 192.168.74.0/24 0.0.0.0/0 udp dpt:2049 0 0 ACCEPT tcp -- * * 192.168.74.0/24 0.0.0.0/0 tcp dpt:2049 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:111 1840 58880 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT " 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT " 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT " 45 1800 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain input_int (2 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT udp -- * * 192.168.1.1 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT icmp -- * * 192.168.1.1 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 192.168.1.5 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT icmp -- * * 192.168.1.5 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 192.168.1.6 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT icmp -- * * 192.168.1.6 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT udp -- * * 192.168.1.29 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT icmp -- * * 192.168.1.29 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.1.2 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:445 0 0 ACCEPT tcp -- * * 192.168.1.2 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:139 0 0 ACCEPT udp -- * * 192.168.1.2 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:138 0 0 ACCEPT udp -- * * 192.168.1.2 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:137 0 0 ACCEPT udp -- * * 192.168.1.3 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:5353 0 0 ACCEPT udp -- * * 192.168.1.11 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:53 0 0 ACCEPT udp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:37 0 0 ACCEPT tcp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:445 0 0 ACCEPT tcp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:139 0 0 ACCEPT udp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:138 0 0 ACCEPT udp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:137 0 0 ACCEPT tcp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:873 0 0 ACCEPT tcp -- * * 192.168.1.14 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:53 0 0 ACCEPT udp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:53 0 0 ACCEPT tcp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.1.12 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:25 0 0 ACCEPT tcp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:25 0 0 ACCEPT tcp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT udp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:514 0 0 ACCEPT tcp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:514 0 0 ACCEPT udp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:6666 0 0 ACCEPT icmp -- * * 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.1.32 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:2049 0 0 ACCEPT tcp -- * * 192.168.1.50 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:445 0 0 ACCEPT tcp -- * * 192.168.1.50 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:139 0 0 ACCEPT udp -- * * 192.168.1.50 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:138 0 0 ACCEPT udp -- * * 192.168.1.50 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:137 0 0 ACCEPT tcp -- * * 192.168.1.50 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:80 0 0 ACCEPT tcp -- * * 192.168.1.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:631 0 0 ACCEPT udp -- * * 192.168.1.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:631 0 0 ACCEPT tcp -- * * 192.168.1.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:80 0 0 ACCEPT tcp -- * * 192.168.1.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.74.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:445 0 0 ACCEPT tcp -- * * 192.168.74.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:139 0 0 ACCEPT udp -- * * 192.168.74.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:138 0 0 ACCEPT udp -- * * 192.168.74.51 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:137 0 0 ACCEPT tcp -- * * 192.168.1.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:631 0 0 ACCEPT udp -- * * 192.168.1.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:631 0 0 ACCEPT tcp -- * * 192.168.1.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:80 0 0 ACCEPT tcp -- * * 192.168.1.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.74.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:445 0 0 ACCEPT tcp -- * * 192.168.74.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:139 0 0 ACCEPT udp -- * * 192.168.74.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:138 0 0 ACCEPT udp -- * * 192.168.74.52 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:137 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:143 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:993 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:80 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpts:30000:30100 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:2049 0 0 ACCEPT tcp -- * * 192.168.1.129 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:873 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:143 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:993 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpts:30000:30100 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:2049 0 0 ACCEPT tcp -- * * 192.168.1.131 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:20 0 0 ACCEPT tcp -- * * 192.168.1.130 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpts:30000:30100 0 0 ACCEPT tcp -- * * 192.168.1.131 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:2049 0 0 ACCEPT tcp -- * * 192.168.74.125 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:445 0 0 ACCEPT tcp -- * * 192.168.74.125 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:139 0 0 ACCEPT udp -- * * 192.168.74.125 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:138 0 0 ACCEPT udp -- * * 192.168.74.125 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED udp dpt:137 0 0 ACCEPT tcp -- * * 192.168.74.127 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED tcp dpt:22 0 0 ACCEPT udp -- * * 172.26.0.0/16 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INint-DROP-DEFLT " 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INint-DROP-DEFLT " 0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix "SFW2-INint-DROP-DEFLT " 0 0 reject_func all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject_func (1 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable Telcontar:~ # iptables -L -n -v -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Telcontar:~ # ip addr list 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:21:85:16:2d:0b brd ff:ff:ff:ff:ff:ff inet 192.168.1.14/24 brd 192.168.1.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fc00::221:85ff:fe16:2d0b/64 scope global dynamic valid_lft 297sec preferred_lft 117sec inet6 fc00::14/64 scope global valid_lft forever preferred_lft forever inet6 fe80::221:85ff:fe16:2d0b/64 scope link valid_lft forever preferred_lft forever 3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 link/ether 00:21:85:16:2d:0c brd ff:ff:ff:ff:ff:ff 4: vmnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:50:56:c0:00:01 brd ff:ff:ff:ff:ff:ff inet 172.16.243.1/24 brd 172.16.243.255 scope global vmnet1 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fec0:1/64 scope link valid_lft forever preferred_lft forever 5: vmnet8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000 link/ether 00:50:56:c0:00:08 brd ff:ff:ff:ff:ff:ff inet 192.168.74.1/24 brd 192.168.74.255 scope global vmnet8 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fec0:8/64 scope link valid_lft forever preferred_lft forever Telcontar:~ # ip route default via 192.168.1.1 dev eth0 127.0.0.0/8 dev lo scope link 169.254.0.0/16 dev eth0 scope link 172.16.243.0/24 dev vmnet1 proto kernel scope link src 172.16.243.1 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.14 192.168.74.0/24 dev vmnet8 proto kernel scope link src 192.168.74.1 Telcontar:~ # -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. [17.03.2016 09:47]:
How can it be that a server type machine, after 22 hours running continuously since boot, has ntp still in INIT state?
I noticed it when running "rcntp status" on another machine in the same LAN:
Telcontar:~ # rcntp status remote refid st t when poll reach delay offset jitter ============================================================================== LOCAL(0) .LOCL. 10 l 1266 64 0 0.000 0.000 0.000 AmonLanc.valino .INIT. 16 u - 1024 0 0.000 0.000 0.000 ...
That says that it consider my local server, AmonLanc.valinor, to be stratum 16, unreliable!
AmonLanc:~ # systemctl status ntpd.service ntp.service - LSB: Network time protocol daemon (ntpd) Loaded: loaded (/etc/init.d/ntp) Drop-In: /run/systemd/generator/ntp.service.d └─50-insserv.conf-$time.conf Active: active (running) since Wed 2016-03-16 11:38:56 CET; 22h ago Process: 2193 ExecStart=/etc/init.d/ntp start (code=exited, status=0/SUCCESS) CGroup: /system.slice/ntp.service └─2253 /usr/sbin/ntpd -p /var/run/ntp/ntpd.pid -g -u ntp:ntp -i /var/lib/ntp -c /etc/ntp.conf
Mar 16 11:38:56 AmonLanc ntpd[2251]: ntpd 4.2.6p5@1.2349-o Mon Apr 20 13:44:53 UTC 2015 (1) Mar 16 11:38:56 AmonLanc ntp[2193]: Starting network time protocol daemon (NTPD)..done Mar 16 11:38:56 AmonLanc ntpd[2253]: proto: precision = 0.389 usec Mar 16 11:38:56 AmonLanc ntpd[2253]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16 Mar 16 11:38:56 AmonLanc ntpd[2253]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123 Mar 16 11:38:56 AmonLanc systemd[1]: Started LSB: Network time protocol daemon (ntpd). Mar 16 11:38:56 AmonLanc ntpd[2253]: Listen and drop on 1 v6wildcard :: UDP 123 Mar 16 11:38:56 AmonLanc ntpd[2253]: Listen normally on 2 lo 127.0.0.1 UDP 123 Mar 16 11:38:56 AmonLanc ntpd[2253]: Listen normally on 3 eth0 192.168.1.15 UDP 123 Mar 16 11:38:56 AmonLanc ntpd[2253]: Listen normally on 4 eth0 fe80::203:dff:fe05:17fc UDP 123 Mar 16 11:38:56 AmonLanc ntpd[2253]: Listen normally on 5 lo ::1 UDP 123 Mar 16 11:38:56 AmonLanc ntpd[2253]: peers refreshed Mar 16 11:38:56 AmonLanc ntpd[2253]: Listening on routing socket on fd #22 for interface updates Mar 16 11:38:56 AmonLanc ntpd[2253]: logging to file /var/log/ntp AmonLanc:~ #
The ntp log only contains this for the current session:
16 Mar 11:27:18 ntpd[2640]: ntpd exiting on signal 15 16 Mar 11:32:45 ntpd[2295]: 0.0.0.0 c016 06 restart 16 Mar 11:32:45 ntpd[2295]: 0.0.0.0 c012 02 freq_set kernel -39.538 PPM 16 Mar 11:32:51 ntpd[2295]: Listen normally on 6 eth0 fc00::203:dff:fe05:17fc UDP 123 16 Mar 11:32:51 ntpd[2295]: Listen normally on 7 eth0 fc00::5856:d05c:16a3:8e16 UDP 123 16 Mar 11:32:51 ntpd[2295]: peers refreshed 16 Mar 11:32:51 ntpd[2295]: new interface(s) found: waking up resolver 16 Mar 11:35:03 ntpd[2295]: ntpd exiting on signal 15 16 Mar 11:38:57 ntpd[2253]: 0.0.0.0 c016 06 restart 16 Mar 11:38:57 ntpd[2253]: 0.0.0.0 c012 02 freq_set kernel -39.538 PPM 16 Mar 11:39:06 ntpd[2253]: Listen normally on 6 eth0 fc00::21e9:7f82:3220:fcad UDP 123 16 Mar 11:39:06 ntpd[2253]: Listen normally on 7 eth0 fc00::203:dff:fe05:17fc UDP 123 16 Mar 11:39:06 ntpd[2253]: peers refreshed 16 Mar 11:39:06 ntpd[2253]: new interface(s) found: waking up resolver 16 Mar 11:42:15 ntpd[2253]: 0.0.0.0 c615 05 clock_sync
I don't know this moment how to find out what is hapening.
Well, because its status is '.INIT.', it has not been reached yet (reach = 0). # ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================ *ntp.intranet.uf .PZF. 1 u 163 256 377 0.606 1.277 0.326 When a time server has been reached, the stratum is set to the appropriate value. In this case, our company's server is marked with "1" since it does not contain an atomic clock :) but it looks at the DCF77 signal in Germany (which is stratum 0)
I'm using 13.1.
/me on leap. Regards, Werner -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-03-17 10:13, Werner Flamme wrote:
Carlos E. R. [17.03.2016 09:47]:
Well, because its status is '.INIT.', it has not been reached yet (reach = 0).
Sorry, what means "reached" in this context? You mean that there is no connectivity? That can't be. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 2016-03-17 10:16, Carlos E. R. wrote:
On 2016-03-17 10:13, Werner Flamme wrote:
Carlos E. R. [17.03.2016 09:47]:
Well, because its status is '.INIT.', it has not been reached yet (reach = 0).
Sorry, what means "reached" in this context?
You mean that there is no connectivity? That can't be.
It must be this configuration paragraph: # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust So I need to add that crypto auth. How? :-? -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
It must be this configuration paragraph:
# Clients from this (example!) subnet have unlimited access, but only # if cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust
So I need to add that crypto auth. How? :-?
In ntp, that's probably done by adding a key to /etc/ntp.keys: <k> M sometexttexttexttext (max 20 I think). The key needs to be configured on both ends. Why not just comment out that restrict? -- Per Jessen, Zürich (3.2°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-03-17 10:29, Per Jessen wrote:
Carlos E. R. wrote:
It must be this configuration paragraph:
# Clients from this (example!) subnet have unlimited access, but only # if cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust
So I need to add that crypto auth. How? :-?
In ntp, that's probably done by adding a key to /etc/ntp.keys:
<k> M sometexttexttexttext (max 20 I think).
The key needs to be configured on both ends.
Why not just comment out that restrict?
There was a vulnerability some time ago and that was recommended. Actually, I do not need to give full access to the LAN. I just need access to time clients. This is the full config paragraph: # Access control configuration; see /usr/share/doc/packages/ntp/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust I understand it allows access to clients :-? -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. [17.03.2016 10:32]:
# Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust
I understand it allows access to clients :-?
So do I. But the clients must be "cryptographically authenticated". You have to create an identicat entry in the "ntp.keys" file on time server and its clients. Plus, you have to configure the clients to use this key when querying the server. According to ntpd's manpage, this is done by using the "key" option on the "server" line, like server AmonLanc.valino iburst key 5 when the key got the number 5 in your "ntp.keys" file. Regards, Werner -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
This is the full config paragraph:
# Access control configuration; see # /usr/share/doc/packages/ntp/html/accopt.html for # details. The web page # <http://support.ntp.org/bin/view/Support/AccessRestrictions> might # also be helpful. # # Note that "restrict" applies to both servers and clients, so a # configuration that might be intended to block requests from certain # clients could also end up blocking replies from your own upstream # servers.
# By default, exchange time with everybody, but don't allow # configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1
# Clients from this (example!) subnet have unlimited access, but only # if cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust
I understand it allows access to clients :-?
If I read it correctly, it says that this client will only accept time information from 192.168.1.0 when it's authenticated. Authenticated = both server and client use the same key. -- Per Jessen, Zürich (3.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-03-17 10:59, Per Jessen wrote:
Carlos E. R. wrote:
This is the full config paragraph:
# Access control configuration; see # /usr/share/doc/packages/ntp/html/accopt.html for # details. The web page # <http://support.ntp.org/bin/view/Support/AccessRestrictions> might # also be helpful. # # Note that "restrict" applies to both servers and clients, so a # configuration that might be intended to block requests from certain # clients could also end up blocking replies from your own upstream # servers.
# By default, exchange time with everybody, but don't allow # configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1
# Clients from this (example!) subnet have unlimited access, but only # if cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust
I understand it allows access to clients :-?
If I read it correctly, it says that this client will only accept time information from 192.168.1.0 when it's authenticated. Authenticated = both server and client use the same key.
No, I understand it allows time exchange without authentication with anybody in the world, and admin access on the LAN with authentication. Unless the rule: restrict -4 default kod notrap nomodify nopeer noquery is negated by the later rule: restrict 192.168.1.0 mask 255.255.255.0 notrust :-? -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. [17.03.2016 12:26]:
On 2016-03-17 10:59, Per Jessen wrote:
Carlos E. R. wrote:
This is the full config paragraph:
# Access control configuration; see # /usr/share/doc/packages/ntp/html/accopt.html for # details. The web page # <http://support.ntp.org/bin/view/Support/AccessRestrictions> might # also be helpful. # # Note that "restrict" applies to both servers and clients, so a # configuration that might be intended to block requests from certain # clients could also end up blocking replies from your own upstream # servers.
# By default, exchange time with everybody, but don't allow # configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1
# Clients from this (example!) subnet have unlimited access, but only # if cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust
I understand it allows access to clients :-?
If I read it correctly, it says that this client will only accept time information from 192.168.1.0 when it's authenticated. Authenticated = both server and client use the same key.
No, I understand it allows time exchange without authentication with anybody in the world, and admin access on the LAN with authentication.
Unless the rule:
restrict -4 default kod notrap nomodify nopeer noquery
is negated by the later rule:
restrict 192.168.1.0 mask 255.255.255.0 notrust
:-?
I'd remove the "restrict" line and check whether it works afterwards :) The default line says nothing about authentication. But, as you already quoted, "Clients from this (example!) subnet have unlimited access, but only if cryptographically authenticated.". Werner -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2016-03-17 at 12:26 +0100, Carlos E. R. wrote:
On 2016-03-17 10:59, Per Jessen wrote:
I understand it allows access to clients :-?
If I read it correctly, it says that this client will only accept time information from 192.168.1.0 when it's authenticated. Authenticated = both server and client use the same key.
No, I understand it allows time exchange without authentication with anybody in the world, and admin access on the LAN with authentication.
Unless the rule:
restrict -4 default kod notrap nomodify nopeer noquery
is negated by the later rule:
restrict 192.168.1.0 mask 255.255.255.0 notrust
:-?
I commented out that last line on both machines, and now both use the other local machine, with stratum 3. So no need for that iptables output. - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlbqrPoACgkQtTMYHG2NR9WjxACcD4EwMxrSYu0Vj0Z4bJQaE2K+ A/QAnj3aqxd+2SAZWLRWm8WCq/76krHb =1NM4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2016-03-17 10:59, Per Jessen wrote:
Carlos E. R. wrote:
This is the full config paragraph:
[snip]
# By default, exchange time with everybody, but don't allow # configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1
# Clients from this (example!) subnet have unlimited access, but # only if cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust
I understand it allows access to clients :-?
If I read it correctly, it says that this client will only accept time information from 192.168.1.0 when it's authenticated. Authenticated = both server and client use the same key.
No, I understand it allows time exchange without authentication with anybody in the world, and admin access on the LAN with authentication.
Unless the rule:
restrict -4 default kod notrap nomodify nopeer noquery
That one sets the default restrictions for IPv4.
is negated by the later rule:
restrict 192.168.1.0 mask 255.255.255.0 notrust
Not negated, but it overrides your default. -- Per Jessen, Zürich (11.3°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-03-17 16:22, Per Jessen wrote:
Carlos E. R. wrote:
Unless the rule:
restrict -4 default kod notrap nomodify nopeer noquery
That one sets the default restrictions for IPv4.
is negated by the later rule:
restrict 192.168.1.0 mask 255.255.255.0 notrust
Not negated, but it overrides your default.
Yes, I had to disable that line, and now my ntp server is working correctly: Telcontar:~ # rcntp status remote refid st t when poll reach delay offset jitter ============================================================================== LOCAL(0) .LOCL. 10 l 52 64 1 0.000 0.000 0.002 *AmonLanc.valino 37.187.56.220 3 u 41 64 1 0.269 0.027 0.013 <=== hora.ngn.rima-t 172.20.47.7 5 u 50 64 1 14.781 -7.252 0.002 ntp.redimadrid. 193.147.107.33 2 u 49 64 1 18.979 1.641 0.002 de1.ntp.trinler 36.224.68.195 2 u 48 64 1 53.385 1.676 0.002 i2t15.i2t.ehu.e .GPS. 1 u 47 64 1 34.798 1.761 0.002 .... That rule I had is default in the ntp config. It is absurd to disable local time queries for non authenticated clients on the local LAN, when any client on the whole internet has access. I should have to check what is the default on Leap, and then perhaps report a bug. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. [18.03.2016 10:27]:
On 2016-03-17 16:22, Per Jessen wrote:
Carlos E. R. wrote:
Unless the rule:
restrict -4 default kod notrap nomodify nopeer noquery
That one sets the default restrictions for IPv4.
is negated by the later rule:
restrict 192.168.1.0 mask 255.255.255.0 notrust
Not negated, but it overrides your default.
Yes, I had to disable that line, and now my ntp server is working correctly:
Telcontar:~ # rcntp status remote refid st t when poll reach delay offset jitter ============================================================================== LOCAL(0) .LOCL. 10 l 52 64 1 0.000 0.000 0.002 *AmonLanc.valino 37.187.56.220 3 u 41 64 1 0.269 0.027 0.013 <=== hora.ngn.rima-t 172.20.47.7 5 u 50 64 1 14.781 -7.252 0.002 ntp.redimadrid. 193.147.107.33 2 u 49 64 1 18.979 1.641 0.002 de1.ntp.trinler 36.224.68.195 2 u 48 64 1 53.385 1.676 0.002 i2t15.i2t.ehu.e .GPS. 1 u 47 64 1 34.798 1.761 0.002
....
That rule I had is default in the ntp config. It is absurd to disable local time queries for non authenticated clients on the local LAN, when any client on the whole internet has access.
I should have to check what is the default on Leap, and then perhaps report a bug.
The default in Leap is "By default, exchange time with everybody, but don't allow configuration." and "Local users may interrogate the ntp server more closely.". The line "restrict ... notrust" is a comment only and is meant as an example. And there is also the section # Access control configuration; see /usr/share/doc/packages/ntp/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. I don't see a reason to file a bug. The restriction that caused the malfunction was delivered as a comment. Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2016-03-18 12:18, Werner Flamme wrote:
Carlos E. R. [18.03.2016 10:27]:
I don't see a reason to file a bug. The restriction that caused the malfunction was delivered as a comment.
Right. Only that the comment doesn't say that the line will disable any kind of access in your own LAN for plain clients. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Fri, Mar 18, 2016 at 2:22 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2016-03-18 12:18, Werner Flamme wrote:
Carlos E. R. [18.03.2016 10:27]:
I don't see a reason to file a bug. The restriction that caused the malfunction was delivered as a comment.
Right. Only that the comment doesn't say that the line will disable any kind of access in your own LAN for plain clients.
a) it does not disable anything if used correctly b) it is comment in example configuration file; it does not replace ntpd manual. You are still supposed to read the fine manuals, not blindly enabling every example line you found -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2016-03-18 at 14:35 +0300, Andrei Borzenkov wrote:
On Fri, Mar 18, 2016 at 2:22 PM, Carlos E. R. <> wrote:
Right. Only that the comment doesn't say that the line will disable any kind of access in your own LAN for plain clients.
a) it does not disable anything if used correctly
Yes, it does. It is absurd to require authentication for just asking for the time, for local clients, when a client on internet does get that access. The example is bad, it should allow the same access it does for Internet clients on the LAN, and require authentication for other things.
b) it is comment in example configuration file; it does not replace ntpd manual. You are still supposed to read the fine manuals, not blindly enabling every example line you found
I read the manual to find the examples :-p - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlbr79EACgkQtTMYHG2NR9V7VQCdFzxnT0e047yqnoPTQkaOf5zH 6xQAoIdz7J/bpVUjIDTNMjgtFRgks+vX =2v/L -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Fri, Mar 18, 2016 at 3:08 PM, Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Friday, 2016-03-18 at 14:35 +0300, Andrei Borzenkov wrote:
On Fri, Mar 18, 2016 at 2:22 PM, Carlos E. R. <> wrote:
Right. Only that the comment doesn't say that the line will disable any kind of access in your own LAN for plain clients.
a) it does not disable anything if used correctly
Yes, it does.
Doctor, it hurts when I stab myself in the eye ... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. [18.03.2016 12:22]:
On 2016-03-18 12:18, Werner Flamme wrote:
Carlos E. R. [18.03.2016 10:27]:
I don't see a reason to file a bug. The restriction that caused the malfunction was delivered as a comment.
Right. Only that the comment doesn't say that the line will disable any kind of access in your own LAN for plain clients.
For me, # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. #restrict 192.168.123.0 mask 255.255.255.0 notrust does say so. Werner -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2016-03-18 at 12:35 +0100, Werner Flamme wrote:
Carlos E. R. [18.03.2016 12:22]:
On 2016-03-18 12:18, Werner Flamme wrote:
Carlos E. R. [18.03.2016 10:27]:
I don't see a reason to file a bug. The restriction that caused the malfunction was delivered as a comment.
Right. Only that the comment doesn't say that the line will disable any kind of access in your own LAN for plain clients.
For me,
# Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. #restrict 192.168.123.0 mask 255.255.255.0 notrust
does say so.
Not to me, sorry :-) - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlbr8BQACgkQtTMYHG2NR9WLpACfQcHS7HfKi7G6DcMgs0Hj8lmI yA0AnRVNU9V685Y6RdZSykj30H/Fkbyc =Ylod -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2016-03-17 16:22, Per Jessen wrote:
Carlos E. R. wrote:
Unless the rule:
restrict -4 default kod notrap nomodify nopeer noquery
That one sets the default restrictions for IPv4.
is negated by the later rule:
restrict 192.168.1.0 mask 255.255.255.0 notrust
That rule I had is default in the ntp config.
I don't think so. I don't use authentication on our internal network, and I've never had to remove or comment out that restriction. (never= at least since 11.x).
It is absurd to disable local time queries for non authenticated clients on the local LAN, when any client on the whole internet has access.
That restriction works the other way though - it restricts time info from unauthenticated _servers_. It's more important for the client to know that it's getting the time info from the correct server.
I should have to check what is the default on Leap, and then perhaps report a bug.
These are the current defaults - except in the "restrict -[46]" lines where I've removed "nopeer": Leap421: office34:~ # egrep '^#?restrict' /etc/ntp.conf #restrict 192.168.123.0 mask 255.255.255.0 notrust restrict -4 default notrap nomodify noquery restrict -6 default notrap nomodify noquery restrict 127.0.0.1 restrict ::1 openSUSE 13.2: guest54:~ # egrep '^#?restrict' /etc/ntp.conf #restrict 192.168.123.0 mask 255.255.255.0 notrust restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify noquery restrict 127.0.0.1 restrict ::1 openSUSE 13.1: office11:~ # egrep '^#?restrict' /etc/ntp.conf restrict -4 default kod notrap nomodify noquery restrict -6 default kod notrap nomodify noquery restrict 127.0.0.1 restrict ::1 On 12.3, ntop.conf had no restrict lines at all, I guess that was before the DDoS attack waves. -- Per Jessen, Zürich (8.3°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2016-03-18 at 12:25 +0100, Per Jessen wrote:
On 12.3, ntop.conf had no restrict lines at all, I guess that was before the DDoS attack waves.
Yep. - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlbr8G8ACgkQtTMYHG2NR9VP8QCeKvO10C0BJo9sg6X05O6FOcmh j50AniysB93cFLK1XjZE4/r2P+yb1FSs =V861 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. [17.03.2016 10:23]:
On 2016-03-17 10:16, Carlos E. R. wrote:
On 2016-03-17 10:13, Werner Flamme wrote:
Carlos E. R. [17.03.2016 09:47]:
Well, because its status is '.INIT.', it has not been reached yet (reach = 0).
Sorry, what means "reached" in this context?
You mean that there is no connectivity? That can't be.
Yes, that's what I mean. It does not necessaryly mean that the host itself is not reached, but it means that there are no ntp packets transmitted/received.
It must be this configuration paragraph:
# Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. restrict 192.168.1.0 mask 255.255.255.0 notrust
So I need to add that crypto auth. How? :-?
I do not use any crypto auth. So I can't give any hints here. Except that there is a "Authentication stuff" paragraph in my ntp.conf containing the configuration of keys that must be used to authenticate among the hosts. Werner -- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Andrei Borzenkov -
Carlos E. R. -
Carlos E. R. -
Per Jessen -
Werner Flamme