SCIENTIFIC-LINUX-USERS Archives

June 2005

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: ntpd listen on
From:
"Steven J. Yellin" <[log in to unmask]>
Reply To:
Steven J. Yellin
Date:
Thu, 23 Jun 2005 09:29:53 -0700
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (82 lines) 
On Thu, 23 Jun 2005, Ken Teh wrote:

> Do the following:
>
> chkconfig --level 0123456 ntpd off
>
> Bring up the machine and do
>
> service iptables status
>
> which will show you what the firewall rules are in effect.
>
> Then, repeat this again, but this time, reenable the ntpd service.
>
> chkconfig --level 2345 ntpd on
>
> Compare the outputs of 'service iptables status' and you should be able to
> determine what the ntpd did to the firewall rules.
>
> Good luck!
>
> Ken
>

    Without rebooting you can do

service iptables restart
service iptables status > iptables.1
service ntpd restart
service iptables status > iptables.2
diff iptables.1 iptables.2

    You should see that only the servers you requested in /etc/ntp.conf
have been let through the firewall.


>
>
> On Thu, 23 Jun 2005, Robert E. Blair wrote:
>
> > You might want to review /etc/rc.d/init.d/ntpd since it does diddle the
> > firewall (hate to see you place restrictions that get superceded).  You
> > may need to set FIREWALL_MODS=no in /etc/sysconfig/ntpd to avoid it
> > changing the firewall rules for you.
> >
> > Steven J. Yellin wrote:
> >
> > >    Put the restrictions into a firewall.  For example, assuming
> > >the firewall is iptables, in the INPUT chain direct all packets
> > >which are not from yourself, but have destination 123, to target
> > >"NTP".  Then do something like
> > >
> > ># Create the NTP chain
> > >iptables -N NTP
> > >#
> > ># Specify which IP's and interfaces are accepted.  For example,
> > ># accept only eth1, IP 123.123.123.123 and eth0, IP 203.14.211.14
> > >iptables -A NTP -i eth1 -s 123.123.123.123 -j ACCEPT
> > >iptables -A NTP -i eth0 -s 203.14.211.14 -j ACCEPT
> > >#
> > ># Ignore anybody else entering this chain (coming in on port 123)
> > >iptables -A NTP -j DROP
> > >
> > >Steven Yellin
> > >
> > >On Thu, 23 Jun 2005, Michael Mansour wrote:
> > >
> > >
> > >
> > >>Hi,
> > >>
> > >>When I run ntpd on SL3/4 and it listens on port 123 on all my interfaces,
> > >>including virtual interfaces.
> > >>
> > >>How can I tell it to only listen on a certain IP/certain interface only?
> > >>
> > >>I've googled for this but can't find anything relevant.
> > >>
> > >>Thanks.
> > >>
> > >>Michael.

ATOM RSS1 RSS2