[lug] ntpdate fails on RH7.1 (KRUD 2001-08-01 with updates)

Sean Reifschneider jafo at tummy.com
Thu Jan 10 11:50:47 MST 2002


On Thu, Jan 10, 2002 at 12:36:36PM -0600, Michael J. Hammel wrote:
>I didn't think it would be this problem since the box which is succeeding
>is behind the firewall and the firewall is the one that is failing.  So how
>can I be blocking port 123 on the firewall (where ntpdate fails) but that
>port gets through to another box behind the firewall?  Isn't that counter
>to what a firewall is supposed to be doing?  Do I need to firewall all my
>boxes to prevent incoming connections to them?

When a firewall box masquerades a connection, it typically re-writes the
source port from whatever it is to a very high port up in the 60000 range.
Your firewall could be blocking incoming <1024 traffic while allowing
>=1024.  So, when a masqueraded connection asks for the NTP data, it's
getting it, but when the firewall asks for it the response is coming back
to the source port of 123 and is being blocked.

That's my guess.

Sean
-- 
 Canadian phone sex: What colour touque are you wearing?
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python



More information about the LUG mailing list