-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Andrew Reilly wrote: > On Wed, Jul 25, 2007 at 05:24:25AM +1000, Peter Jeremy wrote: >> On 2007-Jul-24 16:00:08 +0100, Pete French <[EMAIL PROTECTED]> wrote: >> Yes it does. The major difference is that ntpd will use a source >> port of 123 whilst ntpdate will use a dynamic source port. > > Is that behaviour that can be defeated? If it uses a fixed > source port, then multiple ntpd clients behind a nat firewall > will be competing for the same ip quadtuple at the NAT box. (Or > does ipnat or pf have the ability to fake different source > addresses?)
NAT gateways will remap the source port number as necessary to disambiguate the different hosts. Although NTP defaults to using port 123 on both the source and destination ends, it only *has* to use port 123 on the destination (server) end. The admin can override that behaviour by using 'restrict <addr> ntpport' in ntp.conf if required. NTP queries performed via user programs like ntpq(8) and ntpdc(8) always use an arbitrary high numbered source port. There's a similar configuration trick used with the DNS, except in that case, it works in the opposite sense: DNS queries will use an arbitrary high numbered source port by default, but you can configure named to force use of port 53 as the source port. Obviously this only applies to the server-to-server queries performed by recursive DNS servers -- as far as I know, there's no way to force the local resolver library on a particular machine to use a specific source port. In any case, the justification for forcing UDP packets to use a specific source port disappears when you use a modern stateful firewall like any of the three (pf, ipfw, ipf) supplied with FreeBSD. > (I've had what I think is this problem with a VPN setup, where > only one client behind the NAT firewall could run the VPN client > at a time, because the VPN protocol used a fixed port and UDP. > Maybe my NAT rules need more sophistication? I don't pay all > that much attention to it...) Indeed. For instance, in the case of IPSec there is a special high-numbered port reserved for use exchanging keys when transiting NAT gateways. See http://www.ietf.org/rfc/rfc3947.txt for the gory details. Note that other VPN packages such as OpenVPN work in a different way and shouldn't hit this particular hurdle, or at least, not in the same way. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGpvw38Mjk52CukIwRCEwOAKCA7xelVOzskL4BXyFiplIwwJTJPgCfVWb5 l6Kfk7Sx1glV44FBBL8oqkU= =GeJ8 -----END PGP SIGNATURE----- _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
