[ntp:questions] My ntpd stopped working

rasmus rasmusaa at gmail.com
Mon Sep 17 21:12:34 UTC 2007


On 17 Sep., 22:41, Steve Kostecke <koste... at ntp.org> wrote:
[...]
> It appears to me that you do have a firewall problem. It may be yours
> our it may be your ISP's.

I agree. I couldn't (cant) see why and the 'works to start with, then
stops and blinks on, mostly off' threw me. However, I like your
observation at the end of the mail.

> If your ntpd is to be able to receive polls from others (e.g. pool
> clients, the ) you must have port 123/UDP _totally_ open (both incoming
> and outgoing).

I think I do. However, I am certainly ready to be corrected. I use
iptables on a linux 2.6 kernel (if this means nothing to you, please
disregard this part). I have accepted udp packets on port 123 in the
INPUT chain and allow all outgoing packets (OUTPUT chain). FORWARD
shouldn't matter since ntpd runs on the firewall.

> >> If you need to port forward 123/UDP to a machine behind your firewall,
> >> are you sure that this is actually happening?
>
> > If I enable debug out on my ntpd I get a lot of connections from all
> > over the net. So I think that part is OK.
>
> >> Is it possible that connections to your port 123/UDP are going to a
> >> locked down ntpd on your firewall?
>
> > If by 'locked down' you mean some 'restrict' line in the conf file,
>
> No. Let me rephrase that. "Is it possible that connections on port
> 123/UDP are not being forwarded to the ntpd you intend to use a a public
> time server?"

No.

> > then I have removed all of those. My ntp.conf is as originally posted
> > with all restrict lines commented out.
>
> I saw that file and can tell you that those restrictions could not have
> blocked time service.

I though so as well.

[...]

> >===============================================================================
> > 192.168.1.2            44069 192.168.1.2           21 7 2      0
>
> This is looking more and more like a misconfigured firewall.
>
> > This mirrors my own testing, where I get responses if I use my
> > internal (192.168.1.2/127.0.0.1) interfaces but not the external one
> > (the one on the outside of the DSL modem). I have not been able to
> > determine where the responses get lost, though :(
>
> firewall

Agreed, as per above.

> >> Are you sure that ntpd is not using another configuration file?
>
> > There is no -c on the command line so I gather that /etc/ntp.conf
> > should be used by default.
>
> Depending on your OS the default location for ntp.conf may, or may not,
> be /etc/ntp.conf

Fair enough. The manpage tells me so and so does strace.

> > Also, the reason I wrote in with the 'puzzled' comment is that the
> > pool seem, from time to time and seldomly, to have connection to my
> > server. And that is at times I am definitely not touching the firewall/
> > network. Indeed, not touching the box at all. mmm, I am wondering
> > whether this phenomenon could be due to a lot of dropped packets? I'll
> > go reduce my pool bandwidth and see what happens.
>
> This sounds as though your firewall is opening port 123/UDP in response
> to polls sent to remote time servers from your ntpd.

That could indeed then explain the blinks in my availability as
reported by the pool. How often does ntpd per default sync time with
the configured servers?

Cheers,
  Rasmus




More information about the questions mailing list