> On Sep 9, 2015, at 3:47 PM, John Pilkington <J.Pilk@xxxxxxxxx> wrote: > > On 09/09/15 23:43, Ed Greshko wrote: >> On 09/10/15 06:18, John Pilkington wrote: >>> ... and (on my SL7 box) # tcpdump port 123 >>> shows the outgoing probe and the response, for calculation of the transit time: >>> >>> 23:01:55.706587 IP HP_Box.home.ntp > vpn.webersheim.de.ntp: NTPv3, Client, length 48 >>> 23:01:55.741872 IP vpn.webersheim.de.ntp > HP_Box.home.ntp: NTPv3, Server, length 48 >>> 23:09:18.187249 IP HP_Box.home.ntp > 213.145.129.29.ntp: NTPv3, Client, length 48 >>> 23:09:18.323093 IP 213.145.129.29.ntp > HP_Box.home.ntp: NTPv3, Server, length 48 >>> 23:12:00.892883 IP HP_Box.home.ntp > srv02.privatcloud.dk.ntp: NTPv3, Client, length 48 >>> 23:12:00.912962 IP srv02.privatcloud.dk.ntp > HP_Box.home.ntp: NTPv3, Server, length 48 >> >> Nice to know.... Yet you really should consider trimming. Otherwise you'll start to prove top-posters right. :-) :-) >> > Yes: I wanted to show the contrast with the non-working log above, but should have trimmed the rest. > Top posting is the only way to go :P But that’s for a late night drunken argument on IRC :P For now I can validate that yes, indeed simply opening port 123 on the firewall was not enough (in fact, it’s not needed at all, i’ve subsequently removed it from iptables, and will do so from the ACL when I get back to the office). It looks like there has to be a stateful inspection of the packet going out, so that the NTP pool can respond to the client back on the same port, through the firewall. This most likely works for home and small business users as their routers are stateful. But it has to be setup for corporate routers, in my case with the commands I mentioned (and re-attached to the bottom of this email :) You can clearly see that the NTP pool is sending back a packet from port 123 (ntp) back to the same un-privileged port it received the packet from. The only reason to open port 123 inbound would be to act as a ntp server to other clients. [root@www tripwire]# systemctl restart chronyd [root@www tripwire]# tcpdump port 123 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp14s0, link-type EN10MB (Ethernet), capture size 262144 bytes 15:49:11.146312 IP 66-96-98-9.ccup.irmt.uplogon.net.ntp > www.inksystemsinc.com.50032: NTPv4, Server, length 48 15:49:11.282909 IP www.inksystemsinc.com.33805 > palpatine.steven-mcdonald.id.au.ntp: NTPv4, Client, length 48 15:49:11.295301 IP palpatine.steven-mcdonald.id.au.ntp > www.inksystemsinc.com.33805: NTPv4, Server, length 48 15:49:12.154596 IP www.inksystemsinc.com.37921 > cheri.shyou.org.ntp: NTPv4, Client, length 48 15:49:12.199266 IP cheri.shyou.org.ntp > www.inksystemsinc.com.37921: NTPv4, Server, length 48 15:49:12.355839 IP www.inksystemsinc.com.36254 > 23.99.222.162.ntp: NTPv4, Client, length 48 15:49:12.405257 IP 23.99.222.162.ntp > www.inksystemsinc.com.36254: NTPv3, Server, length 48 15:49:13.165008 IP www.inksystemsinc.com.45016 > 66-96-98-9.ccup.irmt.uplogon.net.ntp: NTPv4, Client, length 48 15:49:13.233225 IP 66-96-98-9.ccup.irmt.uplogon.net.ntp > www.inksystemsinc.com.45016: NTPv4, Server, length 48 15:49:13.366453 IP www.inksystemsinc.com.37220 > palpatine.steven-mcdonald.id.au.ntp: NTPv4, Client, length 48 15:49:13.378228 IP palpatine.steven-mcdonald.id.au.ntp > www.inksystemsinc.com.37220: NTPv4, Server, length 48 15:49:14.204110 IP www.inksystemsinc.com.44675 > cheri.shyou.org.ntp: NTPv4, Client, length 48 15:49:14.249188 IP cheri.shyou.org.ntp > www.inksystemsinc.com.44675: NTPv4, Server, length 48 15:49:14.432249 IP www.inksystemsinc.com.54356 > 23.99.222.162.ntp: NTPv4, Client, length 48 15:49:14.481175 IP 23.99.222.162.ntp > www.inksystemsinc.com.54356: NTPv3, Server, length 48 15:49:15.241817 IP www.inksystemsinc.com.50570 > 66-96-98-9.ccup.irmt.uplogon.net.ntp: NTPv4, Client, length 48 15:49:15.310147 IP 66-96-98-9.ccup.irmt.uplogon.net.ntp > www.inksystemsinc.com.50570: NTPv4, Server, length 48 15:49:15.445005 IP www.inksystemsinc.com.50433 > palpatine.steven-mcdonald.id.au.ntp: NTPv4, Client, length 48 15:49:15.457139 IP palpatine.steven-mcdonald.id.au.ntp > www.inksystemsinc.com.50433: NTPv4, Server, length 48 15:49:16.285339 IP www.inksystemsinc.com.60738 > cheri.shyou.org.ntp: NTPv4, Client, length 48 15:49:16.330519 IP cheri.shyou.org.ntp > www.inksystemsinc.com.60738: NTPv4, Server, length 48 15:49:16.489066 IP www.inksystemsinc.com.38469 > 23.99.222.162.ntp: NTPv4, Client, length 48 15:49:16.537935 IP 23.99.222.162.ntp > www.inksystemsinc.com.38469: NTPv3, Server, length 48 15:49:17.348502 IP www.inksystemsinc.com.51116 > 66-96-98-9.ccup.irmt.uplogon.net.ntp: NTPv4, Client, length 48 15:49:17.418904 IP 66-96-98-9.ccup.irmt.uplogon.net.ntp > www.inksystemsinc.com.51116: NTPv4, Server, length 48 15:49:17.549840 IP www.inksystemsinc.com.59677 > palpatine.steven-mcdonald.id.au.ntp: NTPv4, Client, length 48 15:49:17.561896 IP palpatine.steven-mcdonald.id.au.ntp > www.inksystemsinc.com.59677: NTPv4, Server, length 48 ROUTER CONFIG: ISIR02#configure terminal Enter configuration commands, one per line. End with CNTL/Z. ISIR02(config)#ip inspect name ge01_out_fw udp ISIR02(config)#interface gigabitEthernet 0/1.50 ISIR02(config-subif)#ip inspect ge01_out_fw out ISIR02(config-subif)#exit ISIR02(config)#exit ISIR02#write mem > -- > users mailing list > users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
