[vox-tech] I'm also having ntp problems :-(

vox-tech@lists.lugod.org vox-tech@lists.lugod.org
Thu, 25 Apr 2002 02:11:51 -0400 

On Wed, Apr 24, 2002 at 11:04:01PM -0700, Ryan wrote:
> The following seems to be happening...
> 
> connections to a udp server on nat work fine both ways.
> 
> connections to a udp server on bob only work for sending data to bob.
> 
> in tcpdump, I see nat telling bob that the udp port is unreachable, yet bob 
> has no firewall.
> 
> Very odd.....

  Can you paste a 10 line tcpdump log showing this event?

A little background, 
  nat is (the nat/firewall/ntp machine)
  bob is (the client)
if not correct please explain.

> On Wednesday 24 April 2002 10:51 pm, msimons@moria.simons-clan.com wrote:
> > On Wed, Apr 24, 2002 at 10:26:13PM -0700, Ryan wrote:
> > > On Wednesday 24 April 2002 10:04 pm, msimons@moria.simons-clan.com wrote:
> > > >   Something is preventing port 123 UDP packets from going between
> > > > bob and nat, you can see packets be transmitted and no reply.  It
> > > > could also be that your ntpd is configured to not accept connections
> > > > from bob.
> > >
> > > This can now be blamed on firewall rules.
> >
> > Something doesn't look right about this...
> >
> >   Both ntdq and ntpdate create the same type of UDP based socket,
> > running from the same machine one of them gets replies the other
> > does not (the packets are different sizes).  It is true that some
> > length based firewall checks could be blocking the replies... but
> > it's important to figure out what is broken before changing things
> > and I still don't have enough information.  It could be either ntpd
> > or the firewall, since it could as likely be server configuration
> > (like only accepting certain client revisions).
> >
> >   If it still doesn't work after you have fun looking through your
> > firewall rules install strace on the firewall and run the trace
> > requested below.  If you can't use "apt-get install strace" then
> > remember it is simply one big executable, scp it to the firewall
> > from a similar machine and just run the binary from /tmp then
> > nuke it.
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech