Re: problem with ntp in a DMZ

From: "Michael Simpson" <mikie.simpson@xxxxxxxxx>
Date: Tue, 5 Aug 2008 12:48:08 +0100

On 8/4/08, Tangren, Bill <bill.tangren@xxxxxxxxxxxxx> wrote:

I have two essentially identical servers, RHEL ES 4.6 fully patched. The
only difference is, one is in a DMZ and the other is not. Both can do an
nslookup on the time server I use (tick.usno.navy.mil), but when I turn
off ntp and use the ntpdate command, it fails on the server in the DMZ
and succeeds on the one that is not. Here is the output from ntpdate in
debug mode. First the one that succeeds:

Hi there.

This is almost always a firewall problem with source port 123 for the
reply being blocked.
I presume that nptdate uses some high value port for its source for
the query and destination for the reply.
However you state that 123 is open in both directions.
Is the ntpd that you are querying bound to a specific interface or is
it bound to *:123 in which case there used to be an issue where it
would use a different ip address for the reply than the one it
received the request on but that problem was patched a while ago.

RFC1918 states that 192.168.x.x is the private address so 192.5.x.x should be ok
certainly tick.usno.navy.mil is reachable from here in sunny scotland.

My bet would be on the firewall config stopping the reply from
tick.usno.navy.mil:123 reaching a high value (>1024) port bound to
ntpdate.

Run wireshark or tcpdump to see what is happening on aa at layer 2.

best wishes

mike

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Follow-Ups:
- UTF-8 US AIR FORCE TOSHIBA SUSUMU KUBO REF ADD
  - From: Eiji

References:
- problem with ntp in a DMZ
  - From: Tangren, Bill

Prev by Date: UTF-8 ATOMIC BOM MURDER REF
Next by Date: UTF-8 US AIR FORCE MURDER TOSHIBA SUSUMU KUBO.
Previous by thread: Please read UTF-8 AIDS MURDER(TRANSLATE UTF-8 TO WORLD www.systransoft.com)
Next by thread: UTF-8 US AIR FORCE TOSHIBA SUSUMU KUBO REF ADD
Index(es):
- Date
- Thread

Relevant Pages

Re: Unable to join AD domain from DMZ network
... It was the RDC Dynamic high port blocking the traffic. ... "Paul Bergson" wrote: ... the server from the DMZ registered ... authentication from DMZ to 2003 AD internal network. ...
(microsoft.public.windows.server.active_directory)
Re: Unable to join AD domain from DMZ network
... the server from the DMZ registered the ... unless you lock it down to a specific port. ... authentication from DMZ to 2003 AD internal network. ...
(microsoft.public.windows.server.active_directory)
Re: Merge replication security
... I know port 1433 needs to be open for OUTBOUND traffic, ... By having a separate SQL server in the DMZ I can use Windows ... > connect to your SQL Server which is on your internal network. ...
(microsoft.public.sqlserver.replication)
Which product is the best and/or requirements.
... LAN on the router with the following below features included, ... At minimum 2 ports, but more ports are welcomed, one port for WAN, one ... DMZ that is dedicated to processing those kind of stuff, ... so were not sure how much excess power draw will ...
(comp.os.linux.embedded)
Re: Share Internet Connection with 2 SBS Same Router
... Sonic WAN ... but relies on the ISP being able to assign a 2nd public IP to the DMZ. ... Assign a subnet mask in the DMZ Subnet Mask field. ... WAN port on the router or a LAN port on the router? ...
(microsoft.public.windows.server.sbs)