can't get ntp to stay up
Leonard den Ottolander
leonardjo at hetnet.nl
Wed Dec 24 14:52:46 UTC 2003
Hi Sean,
> Dec 23 16:23:58 gateway ntpd[20163]: kernel time sync status 0040
I guess your firewall might be blocking the traffic. Try "service iptables
status" and see if it is running, and "iptables -L -n | less" to see the
ruleset. Iirc the default RH firewall rules do not log traffic that is
being blocked. This 'll stop your log from flooding, but it also makes
debugging your firewall rule set more difficult.
You'll need to open port 123 udp. Something like
iptables -A INPUT -p udp -s <server IP> --sport 123 --dport 123 -j ACCEPT
for each server you are polling.
> I've commented out redhat's "restrict default ignore" line
That leaves your ntpd WideOpen(TM). Better just leave it there and add
restricts for the servers you are polling.
Based on your ntp.conf I would change it to something like:
logconfig =sysall +syncall +clockall +peeral
restrict default ignore
restrict 127.0.0.1
restrict 10.10.8.0 mask 255.0.0.0 notrust nomodify notrap
# not sure if you should be using IP's here, which is what I do
restrict clock.redhat.com mask 255.255.255.255 notrust nomodify notrap
# Ease the polling to a maximum of once every 5 minutes. That is just fine.
server clock.redhat.com minpoll 8 maxpoll 12
restrict clock2.redhat.com mask 255.255.255.255 notrust nomodify notrap
server clock2.redhat.com minpoll 8 maxpoll 12
restrict time.cachenetworks.com mask 255.255.255.255 notrust nomodify notrap
server time.cachenetworks.com minpoll 8 maxpoll 12
restrict louie.udel.edu mask 255.255.255.255 notrust nomodify notrap
server louie.udel.edu minpoll 8 maxpoll 12
restrict ntp.ourconcord.net mask 255.255.255.255 notrust nomodify notrap
server ntp.ourconcord.net minpoll 8 maxpoll 12
restrict clock.nyc.he.net mask 255.255.255.255 notrust nomodify notrap
server clock.nyc.he.net minpoll 8 maxpoll 12
# Don't need your own machine to sync to
#server 127.127.1.0
#fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
# You don't need/want authenitcation
# Might even be your problem
authenticate no
#keys /etc/ntp/keys
Bye,
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
More information about the fedora-list
mailing list