What do I need to do to adjust SuSEFirewall2 to allow ntp connections to correct my local clock? I have xntpd running and have set locations to check the clock. But I am getting the following ??UANLLOWED?? entries in my firewall log: this is ONE line: Jul 30 08:00:13 wahoo kernel: SuSE-FW-UNALLOWED-TARGETIN=eth0 OUT= MAC=00:**mac address:00 SRC=24.30.200.3 DST=192.168.0.2 LEN=188 TOS=0x00 PREC=0x00 TTL=246 ID=34023 DF PROTO=UDP SPT=53 DPT=1027 LEN=168 Doesn't this mean that the firewall is not allowing access? & How do I change to allow updating my clock?? tks, -- Patrick Shanahan Registered Linux User #207535 @ http://counter.li.org
On Tue, Jul 30, 2002 at 07:16:12PM -0500, wideglide@myrealbox.com wrote:
What do I need to do to adjust SuSEFirewall2 to allow ntp connections to correct my local clock?
I have xntpd running and have set locations to check the clock. But I am getting the following ??UANLLOWED?? entries in my firewall log:
this is ONE line: Jul 30 08:00:13 wahoo kernel: SuSE-FW-UNALLOWED-TARGETIN=eth0 OUT= MAC=00:**mac address:00 SRC=24.30.200.3 DST=192.168.0.2 LEN=188 TOS=0x00 PREC=0x00 TTL=246 ID=34023 DF PROTO=UDP SPT=53 DPT=1027 LEN=168
This does not look like ntp traffic. Judging by source port number it's DNS.
Doesn't this mean that the firewall is not allowing access? & How do I change to allow updating my clock??
One possible solution is to put your NTP server(s) into FW_TRUSTED_NETS variable: FW_TRUSTED_NETS="<ntp server IP>,udp,ntp" Regards, -Kastus
* Konstantin (Kastus) Shchuka <kastus@tsoft.com> [07-30-02 20:04]:
On Tue, Jul 30, 2002 at 07:16:12PM -0500, wideglide@myrealbox.com wrote:
What do I need to do to adjust SuSEFirewall2 to allow ntp connections to correct my local clock?
I have xntpd running and have set locations to check the clock. But I am getting the following ??UANLLOWED?? entries in my firewall log:
this is ONE line: Jul 30 08:00:13 wahoo kernel: SuSE-FW-UNALLOWED-TARGETIN=eth0 OUT= MAC=00:**mac address:00 SRC=24.30.200.3 DST=192.168.0.2 LEN=188 TOS=0x00 PREC=0x00 TTL=246 ID=34023 DF PROTO=UDP SPT=53 DPT=1027 LEN=168
This does not look like ntp traffic. Judging by source port number it's DNS.
OK, heres another address: 130.207.244.240 navobs1.gatech.edu
Doesn't this mean that the firewall is not allowing access? & How do I change to allow updating my clock??
One possible solution is to put your NTP server(s) into FW_TRUSTED_NETS variable:
FW_TRUSTED_NETS="<ntp server IP>,udp,ntp"
Tried this, edited /etc/rc.config.d/firewall2.rc.config and restarted rcSuSEfirewall2, but then: pat@wahoo:~> su1 rcxntpd restart Shutting network time protocol daemon (NTPD) done Try to set initial date and time via NTP failed Starting network time protocol daemon (NTPD) done Changed FW_TRUSTED_NETS="" restarted firewall2 and now the NTP shows "done" Am I worring about NOTHING ?? -- Patrick Shanahan Registered Linux User #207535 @ http://counter.li.org
On Tue, 30 Jul 2002 18:01:25 -0700 "Konstantin (Kastus) Shchuka" <kastus@tsoft.com> wrote:
Doesn't this mean that the firewall is not allowing access? & How do I change to allow updating my clock??
One possible solution is to put your NTP server(s) into FW_TRUSTED_NETS variable:
FW_TRUSTED_NETS="<ntp server IP>,udp,ntp"
This solution worked for me. I have a question though, why dos'nt FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain time ntp" do the job? -- use Perl; #powerful programmable prestidigitation
On 07/30/02 19:16:12, wideglide@myrealbox.com wrote:
What do I need to do to adjust SuSEFirewall2 to allow ntp connections to correct my local clock?
I have xntpd running and have set locations to check the clock. But I am getting the following ??UANLLOWED?? entries in my firewall log:
I ran into this problem a few months ago. What I found was that xntpd was communicating with the NTP sever using port 123 as both the source and destination port. To allow this through SuSEFirewall2 I put the following entry in the firewall2-custom.rc.config file located in /etc/rc.config.d. iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p udp --sport ntp --dport ntp
this is ONE line: Jul 30 08:00:13 wahoo kernel: SuSE-FW-UNALLOWED-TARGETIN=eth0 OUT= MAC=00:**mac address:00 SRC=24.30.200.3 DST=192.168.0.2 LEN=188 TOS=0x00 PREC=0x00 TTL=246 ID=34023 DF PROTO=UDP SPT=53 DPT=1027 LEN=168
This log entry is a firewall denied packet related to a DNS query. Notice "SPT=53"? This means the packet was sent from the DNS service on the 24.30.200.3 box. --rickey
Doesn't this mean that the firewall is not allowing access? & How do I change to allow updating my clock??
tks, -- Patrick Shanahan Registered Linux User #207535 @ http://counter.li.org
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com
* Rickey Ingrassia <r1ckey@attbi.com> [07-30-02 21:27]:
On 07/30/02 19:16:12, wideglide@myrealbox.com wrote:
What do I need to do to adjust SuSEFirewall2 to allow ntp connections to correct my local clock?
I have xntpd running and have set locations to check the clock. But I am getting the following ??UANLLOWED?? entries in my firewall log:
I ran into this problem a few months ago. What I found was that xntpd was communicating with the NTP sever using port 123 as both the source and destination port. To allow this through SuSEFirewall2 I put the following entry in the firewall2-custom.rc.config file located in /etc/rc.config.d.
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p udp --sport ntp --dport ntp
I added the line as you suggested and restarted firewall2. I no longer get the UNALLOWED entries in /var/log/firewall. Does this mean that everything is correct now??
this is ONE line: Jul 30 08:00:13 wahoo kernel: SuSE-FW-UNALLOWED-TARGETIN=eth0 OUT= MAC=00:**mac address:00 SRC=24.30.200.3 DST=192.168.0.2 LEN=188 TOS=0x00 PREC=0x00 TTL=246 ID=34023 DF PROTO=UDP SPT=53 DPT=1027 LEN=168
This log entry is a firewall denied packet related to a DNS query. Notice "SPT=53"? This means the packet was sent from the DNS service on the 24.30.200.3 box.
Here is an UNALLOWED line with the ntp server address: this is ONE line: Jul 20 15:11:16 wahoo kernel: SuSE-FW-DROP-DEFAULTIN=eth0 OUT= MAC=00:**mac address**:00 SRC=130.207.244.240 DST=192.168.0.2 LEN=76 TOS=0x10 PREC=0x00 TTL=53 ID=57800 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Doesn't this mean that the firewall is not allowing access? & How do I change to allow updating my clock??
-- Patrick Shanahan Registered Linux User #207535 @ http://counter.li.org
On 07/30/02 22:32:03, SuSEnixER <WideGlide@MyRealBox.com> wrote:
* Rickey Ingrassia <r1ckey@attbi.com> [07-30-02 21:27]:
On 07/30/02 19:16:12, wideglide@myrealbox.com wrote:
What do I need to do to adjust SuSEFirewall2 to allow ntp connections to correct my local clock?
I have xntpd running and have set locations to check the clock. But I am getting the following ??UANLLOWED?? entries in my firewall log:
I ran into this problem a few months ago. What I found was that xntpd was communicating with the NTP sever using port 123 as both the source and destination port. To allow this through SuSEFirewall2 I put the following entry in the firewall2-custom.rc.config file located in /etc/rc.config.d.
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p udp --sport ntp --dport ntp
I added the line as you suggested and restarted firewall2. I no longer get the UNALLOWED entries in /var/log/firewall. Does this mean that everything is correct now??
Go into the ntpdc shell by typing "ntpdc". Once in the ntpdc shell, enter the command "peers". An "*" next to a peer indicates that it is the primary clock source and is sync'd. Also, all the status fields should be populated. Below is my output: [rickey@weasel rickey]$ ntpdc ntpdc> peers remote local st poll reach delay offset disp ======================================================================= *bigben.ucsd.edu 12.233.85.222 2 1024 377 0.03812 -0.030108 0.01125 =Gabe.KJSL.COM 12.233.85.222 2 1024 377 0.03104 -0.029186 0.01172 ntpdc> q [rickey@weasel rickey]$ --rickey
this is ONE line: Jul 30 08:00:13 wahoo kernel: SuSE-FW-UNALLOWED-TARGETIN=eth0 OUT= MAC=00:**mac address:00 SRC=24.30.200.3 DST=192.168.0.2 LEN=188 TOS=0x00 PREC=0x00 TTL=246 ID=34023 DF PROTO=UDP SPT=53 DPT=1027 LEN=168
This log entry is a firewall denied packet related to a DNS query. Notice "SPT=53"? This means the packet was sent from the DNS service on the 24.30.200.3 box.
Here is an UNALLOWED line with the ntp server address:
this is ONE line: Jul 20 15:11:16 wahoo kernel: SuSE-FW-DROP-DEFAULTIN=eth0 OUT= MAC=00:**mac address**:00 SRC=130.207.244.240 DST=192.168.0.2 LEN=76 TOS=0x10 PREC=0x00 TTL=53 ID=57800 DF PROTO=UDP SPT=123 DPT=123 LEN=56
Doesn't this mean that the firewall is not allowing access? & How do I change to allow updating my clock??
-- Patrick Shanahan Registered Linux User #207535 @ http://counter.li.org
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com
* Rickey Ingrassia <r1ckey@attbi.com> [07-30-02 23:22]:
On 07/30/02 22:32:03, SuSEnixER <WideGlide@MyRealBox.com> wrote:
* Rickey Ingrassia <r1ckey@attbi.com> [07-30-02 21:27]:
On 07/30/02 19:16:12, wideglide@myrealbox.com wrote:
What do I need to do to adjust SuSEFirewall2 to allow ntp connections to correct my local clock?
I have xntpd running and have set locations to check the clock. But I am getting the following ??UANLLOWED?? entries in my firewall log:
I ran into this problem a few months ago. What I found was that xntpd was communicating with the NTP sever using port 123 as both the source and destination port. To allow this through SuSEFirewall2 I put the following entry in the firewall2-custom.rc.config file located in /etc/rc.config.d.
iptables -A input_ext -j ACCEPT -m state --state ESTABLISHED,RELATED -p udp --sport ntp --dport ntp
I added the line as you suggested and restarted firewall2. I no longer get the UNALLOWED entries in /var/log/firewall. Does this mean that everything is correct now??
Go into the ntpdc shell by typing "ntpdc". Once in the ntpdc shell, enter the command "peers". An "*" next to a peer indicates that it is the primary clock source and is sync'd. Also, all the status fields should be populated. Below is my output:
[rickey@weasel rickey]$ ntpdc ntpdc> peers remote local st poll reach delay offset disp ======================================================================= *bigben.ucsd.edu 12.233.85.222 2 1024 377 0.03812 -0.030108 0.01125 =Gabe.KJSL.COM 12.233.85.222 2 1024 377 0.03104 -0.029186 0.01172 ntpdc> q [rickey@weasel rickey]$
I get: ntpdc> peers remote local st poll reach delay offset disp ======================================================================= =time.nist.gov 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =molecule.ecn.pu 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =harbor.ecn.purd 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =gilbreth.ecn.pu 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =darkcity.cerias 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =argus.cso.uiuc. 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 ntpdc> So I'm not getting time correction?? Firewall is not allowing communication ?? Where next & should we take this off-list? tks, -- Patrick Shanahan Registered Linux User #207535 @ http://counter.li.org
On 07/31/02 08:01:02, SuSEnixER <WideGlide@MyRealBox.com> wrote: --snip--
I get: ntpdc> peers remote local st poll reach delay offset disp ======================================================================= =time.nist.gov 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =molecule.ecn.pu 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =harbor.ecn.purd 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =gilbreth.ecn.pu 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =darkcity.cerias 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =argus.cso.uiuc. 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 ntpdc>
So I'm not getting time correction??
Firewall is not allowing communication ?? Where next & should we take this off-list?
In you SuSEfirewall2 config (/etc/rc.config.d/firewall2.rc.config) try putting ntp as a "FW_ALLOW_INCOMING_HIGHPORTS_UDP" option. FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS ntp" --rickey
tks, -- Patrick Shanahan Registered Linux User #207535 @ http://counter.li.org
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com
* Rickey Ingrassia <r1ckey@attbi.com> [07-31-02 08:57]:
On 07/31/02 08:01:02, SuSEnixER <WideGlide@MyRealBox.com> wrote: --snip--
I get: ntpdc> peers remote local st poll reach delay offset disp ======================================================================= =time.nist.gov 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =molecule.ecn.pu 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =harbor.ecn.purd 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =gilbreth.ecn.pu 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =darkcity.cerias 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 =argus.cso.uiuc. 5.0.0.0 16 64 0 0.00000 0.000000 0.00000 ntpdc>
So I'm not getting time correction??
Firewall is not allowing communication ?? Where next & should we take this off-list?
In you SuSEfirewall2 config (/etc/rc.config.d/firewall2.rc.config) try putting ntp as a "FW_ALLOW_INCOMING_HIGHPORTS_UDP" option.
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS ntp"
I already have: FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" -- Patrick Shanahan Registered Linux User #207535 @ http://counter.li.org
On Wednesday 31 July 2002 02.16, wideglide@myrealbox.com wrote:
this is ONE line: Jul 30 08:00:13 wahoo kernel: SuSE-FW-UNALLOWED-TARGETIN=eth0 OUT= MAC=00:**mac address:00 SRC=24.30.200.3 DST=192.168.0.2 LEN=188 TOS=0x00 PREC=0x00 TTL=246 ID=34023 DF PROTO=UDP SPT=53 DPT=1027 LEN=168
Look at the destination address. That's a non-routable address. It looks like you have some sort of problem with masquerading. Are you able to do anything at all on the net from the machine with that ip?
* Anders Johansson <andjoh@cicada.linux-site.net> [07-30-02 21:31]:
On Wednesday 31 July 2002 02.16, wideglide@myrealbox.com wrote:
this is ONE line: Jul 30 08:00:13 wahoo kernel: SuSE-FW-UNALLOWED-TARGETIN=eth0 OUT= MAC=00:**mac address:00 SRC=24.30.200.3 DST=192.168.0.2 LEN=188 TOS=0x00 PREC=0x00 TTL=246 ID=34023 DF PROTO=UDP SPT=53 DPT=1027 LEN=168
Look at the destination address. That's a non-routable address. It looks like you have some sort of problem with masquerading. Are you able to do anything at all on the net from the machine with that ip?
That is a DNS address. But I get the following from an ntp server: this is one line: Jul 20 15:11:16 wahoo kernel: SuSE-FW-DROP-DEFAULTIN=eth0 OUT= MAC=00:**mac address**:00 SRC=130.207.244.240 DST=192.168.0.2 LEN=76 TOS=0x10 PREC=0x00 TTL=53 ID=57800 DF PROTO=UDP SPT=123 DPT=123 LEN=56 This is a standalone machine behind a router <--> cable modem. I know more about nuclear physics than I do firewalls, and I know nothing about nuclear physics past spelling it. tks, -- Patrick Shanahan Registered Linux User #207535 @ http://counter.li.org
participants (6)
-
Anders Johansson -
Konstantin (Kastus) Shchuka -
Rickey Ingrassia -
SuSEnixER -
wideglide@myrealbox.com
-
zentara