On 2007-Jul-25 10:30:25 +1000, Andrew Reilly <[EMAIL PROTECTED]> wrote: >On Wed, Jul 25, 2007 at 05:24:25AM +1000, Peter Jeremy wrote: >> On 2007-Jul-24 16:00:08 +0100, Pete French <[EMAIL PROTECTED]> wrote: >> Yes it does. The major difference is that ntpd will use a source >> port of 123 whilst ntpdate will use a dynamic source port. > >Is that behaviour that can be defeated?
I don't believe so. > If it uses a fixed >source port, then multiple ntpd clients behind a nat firewall >will be competing for the same ip quadtuple at the NAT box. You might be better off running ntpd on the firewall and having the inside hosts sync to it. > (Or >does ipnat or pf have the ability to fake different source >addresses?) All NAT tools I've seen have the ability to either use multiple external addresses or re-write the source port to avoid clashes. Note that, by default, ntpd doesn't care about the source port of incoming packets (this can be controlled with the 'ntpport' option to 'restrict'). >(I've had what I think is this problem with a VPN setup, where >only one client behind the NAT firewall could run the VPN client >at a time, because the VPN protocol used a fixed port and UDP. >Maybe my NAT rules need more sophistication? I don't pay all >that much attention to it...) I suspect that either your NAT rules need to allow source port re-writing or the VPN protocol is fussier about having the source port. -- Peter Jeremy
pgp317m8M4Z7o.pgp
Description: PGP signature
