RE: [SLUG] NTP problems

From: bfoxworth@fortresstech.com
Date: Thu Dec 27 2001 - 09:43:28 EST


On the ntp question, I sent a reply (which went to "slug@nks.net" ) but
it never appeared back to me from the list server, yesterday about 4 pm.

Usually when I send myself a :cc it gets posted. This time I did Not
:cc myself. So I have to paraphrase it.. since I assume no one saw it.
Murphy's law, etc

Basically my question concerns the assumption that the client was
trying to get ntp services from the firewall. That is how I read the
original post. I never saw it mentioned that the firewall was running
the ntp server process. To do this, it would have to be peered with
a higher stratum server somewhere else.

I believe generally it is not good policy to run other server daemons
on firewalls, for vulnerability reasons (logging into or connecting to
firewalls over a net conenction is not a great idea). You should run
the ntp server on another machine, just behind the firewall so all your
local clients can reach it, then just set the firewall to pass port 123.

The only reason to have your own ntp server is when you have many
clients in your shop, all of whom have to be sync'ed, and you don't
want all these requests flooding out over your net connection.

If you have just one or a few machines, choose a publicly-available
ntp server like "ntp.css.gov" or "tick.usno.navy.mil" and get your
service from him. All the literature at, I think it still is at
"louie.udel.edu"
should explain that. Someone mentoned that point yesterday.

To get back to the original question here, (1) confirm that the firewall
machine IS intended to offer ntp services to your requesting client,
and (2) if so, that the server on your firewall (probably stratum-3) is
correctly peering with a stratum-2 server somewhere else on the net.

Get a network sniffer on your local machine connection and see if the
request is going out, and to who, and see if it is being answered by
anyone. Trying to debug this without a sniffer (ethereal, etc) is just
insane.

Bob F

> -----Original Message-----
> From: Paul Braman [SMTP:aeon@tampabay.rr.com]
> Sent: Wednesday, December 26, 2001 16:30
> To: slug@nks.net
> Subject: RE: [SLUG] NTP problems
>
>
> On Wed, 26 Dec 2001, Mikes work account wrote:
>
> > Does the fact that I am using ntpd and not xntpd make a difference?
>
> It might. I can't honestly say what might be the difference.
>
> You can check /usr/doc for any documentation that might have been
> installed with the software. Maybe that can point you at the best
> information. (Remember to check /var/log/messages and see if there's any
> hints there.)
>
>
> Paul Braman
> aeon@tampabay.rr.com



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:23:31 EDT