Configure NTP - should be a snap, but it isn't
Kevin O'Gorman
kevin
Mon May 17 11:32:34 PDT 2004
On Fri, May 31, 2002 at 10:17:23PM -0400, Kurt Wall wrote:
> On Fri, 31 May 2002 17:26:36 -0700
> "Kevin O'Gorman" <kevin at kosmanor.com> wrote:
>
> > I configure NTP once every several years, so I cannot usually
> > remember what's what.
> >
> > I've got a server that's been running NTP happily for years,
> > seems to stay current, and I'm not going to mess with it.
> >
> > I've got another machine, glynnis, running RH7.1, and it has the NTP
> > software, but I cannot get it to synchronize with my server.
> > I've looked at my firewall rules, and it seems I have all traffic
> > allowed between these machines, on local-only subnet: 192.168.1.0/24.
>
> Just in case, port 123 is open for tcp and udp traffic, correct, although
> I note from the docs that it only uses udp.
> >
> > NTP comes up on glynnis okay, but whenever I run 'ntpq -p' I get
> > this, which tells me btrixie isn't being used, and that the
> > local clock is being taken as the time source: (btrixie is an
> > entry in my /etc/hosts file, equated to 192.168.1.148)
> >
> > [root at glynnis init.d]# ntpq -p
> > remote refid st t when poll reach delay offset jitter
> > ==============================================================================
> > btrixie 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
> > LOCAL(0) LOCAL(0) 10 u - 64 0 0.000 0.000 4000.00
>
> Are you sure that glynnis can reach btrixie?
Absolutely. I do it many times a day. They're both on my "inner" net (192.168.1.?)
and listed in /etc/hosts. Both machines have firewalls, but they allow _all_
traffic on the inner net.
-> Trixie's running eD2.4, and has this in /etc/rc.d/rc.firewall (in part):
-> INTERNAL_INTERFACE="eth1"
-> /sbin/ipchains -A input -i $INTERNAL_INTERFACE -j ACCEPT
-> /sbin/ipchains -A output -i $INTERNAL_INTERFACE -j ACCEPT
Glynnis is running RH7.1 (soon to be RH7.3), and has this in
/etc/sysconfig/ipchains (in full):
-> # Firewall configuration written by lokkit
-> # Manual customization of this file is not recommended.
-> # Note: ifup-post will punch the current nameservers through the
-> # firewall; such entries will *not* be listed here.
-> :input ACCEPT
-> :forward ACCEPT
-> :output ACCEPT
-> # accept SSH connections
-> -A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-> # accept loopback traffic
-> -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-> # accept everything on the local net
-> -A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT
-> # accept anything from trixie
-> -A input -s 63.194.39.148 53 -d 0/0 -p udp -j ACCEPT
-> # throw everything else away
-> -A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-> -A input -s 0/0 -d 0/0 -p udp -j REJECT
Note that eth0, on both glynnis and trixie, connects to the outside world;
eth1 is on the inner net, behind a Linksys router. I'm particularly fond
of the ruleset for Glynnis; nothing comes in from the outside except DNS
responses and SSH connections. And the rules are almost as simple to read
as that. Of course, if any bad guys gets to my inner net, I'm toast.
Trixie serves mail and http, so her rules are a bit more complicated.
>
> > My configuration file is very simple.
> >
> > > server 192.168.1.148
> > >
> > > server 127.127.1.0 # local clock
> > > fudge 127.127.1.0 stratum 10
> > >
> > > driftfile /etc/ntp/drift
> > > multicastclient # listen on default 224.0.1.1
> > > broadcastdelay 0.008
> > >
> > > authenticate no
>
> Kurt
> --
> Your lucky number has been disconnected.
> _______________________________________________
> Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users
> Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
--
Kevin O'Gorman (805) 650-6274 mailto:kevin at kosmanor.com
Permanent e-mail forwarder: mailto:Kevin.O'Gorman.64 at Alum.Dartmouth.org
At school: mailto:kogorman at cs.ucsb.edu
Web: http://www.cs.ucsb.edu/~kogorman/index.html
Web: http://kosmanor.com/~kevin/index.html
"Life is short; eat dessert first!"
More information about the Linux-users
mailing list