In article <478E40FF.4070708@xxxxxxxxx>,
Sean Carolan <scarolan@xxxxxxxxx> wrote:
> > The zeros in the "reach" column indicate that the server has been unable to
> > receive any packets from the upstream servers.
> >
> > Is your server inside a firewall? If so, perhaps it is blocking NTP traffic.
> > You need to have it allow UDP port 123 in both directions. You don't need
> > port forwarding from outside to in, since all incoming packets will be replies
> > to outgoing packets.
> >
> > If it is not inside a firewall, perhaps you have iptables on the server itself
> > blocking UDP port 123 traffic.
>
> Fantastic, Tony. This is the information I needed. Our ISP does in fact
> block UDP packets and I suspect this is why the sync is failing.
>
> One question though - how come I can use ntpdate servername to update them by
> hand? Shouldn't that be blocked as well?
That depends. The ntpdate on my system uses a non-privileged UDP port as the
source port, and 123 as the destination. That means the reply from the external
server will be coming back to a non-privileged port (above 1024). The ntpd
daemon however uses 123 as both source and destination port, and therefore so
will replies to it.
Maybe the ISP allows incoming UDP packets to non-privileged ports but not to
low port numbers like 123.
Cheers
Tony
--
Tony Mountifield
Work: tony@xxxxxxxxxxxxx - http://www.softins.co.uk
Play: tony@xxxxxxxxxxxxxxx - http://tony.mountifield.org
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
