Hello, My workstation should synchronize its clock on my server but from some reason this is not allowed This is what I get in the log when the client tries to sync with NTP Oct 25 08:25:47 server kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=192.168.0.5 DST=192.168.0.4 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=123 DPT=1031 LEN=56 My internal network is eth1 , external is eth0 I have the following rules in the rules file for NTP # Allow NTP connections AllowNTP loc fw AllowNTP fw net AllowNTP net fw What am I missing here that it is not allowed? My shorewall version is 2.02c -- Groeten, Peter what is ALT f4 for ... oops !!! - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 37 days, 11 hours and 16 minutes, 0 users logged in.
On Monday 25 October 2004 13:35, Peter Lindeman wrote:> Hello, > > My workstation should synchronize its clock on my server but from some > reason this is not allowed > > This is what I get in the log when the client tries to sync with NTP > > Oct 25 08:25:47 server kernel: Shorewall:all2all:REJECT:IN= OUT=eth1 > SRC=192.168.0.5 DST=192.168.0.4 LEN=76 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF > PROTO=UDP SPT=123 DPT=1031 LEN=56 > > My internal network is eth1 , external is eth0 > > I have the following rules in the rules file for NTP > > # Allow NTP connections > AllowNTP loc fw > AllowNTP fw net > AllowNTP net fw > > What am I missing here that it is not allowed?Most likely your client is broadcasting to UDP 123. Netfilter doesn''t track incoming broadcasts so it is not allowing the response. Either configure the client to use unicast or add a rule such as: ACCEPT fw all udp 1024: 123 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>>What am I missing here that it is not allowed? > > > Most likely your client is broadcasting to UDP 123. Netfilter doesn''t track > incoming broadcasts so it is not allowing the response. Either configure the > client to use unicast or add a rule such as: > > ACCEPT fw all udp 1024: 123Thanks, it is now working! -- Groeten, Peter Cannot load the phone book file. - - Heb je een Dreambox 7000S ? - Kijk eens op http://www.dreamvcr.com - Kijk ook op http://www.lindeman.org - ICQ 22383596 - Uptime lindeman.org - 37 days, 13 hours and 7 minutes, 0 users logged in.