[LON-CAPA-admin] ntp

Martin Siegert siegert at sfu.ca
Thu Mar 27 13:26:22 EST 2003

On Thu, Mar 27, 2003 at 11:08:17AM -0500, H. K. Ng wrote:
> Thanks for your help. It turns out to be the firewall. The server which has 
> the ntp running happens to have all the ports open. It all makes sense now.
> I guess port 123 should be included together with 8080 and 5663. Any others?

I would not say that access to port 123 should be the same as access to 80,
8080 and 5663. On the contrary: port 123 should be accessible only from the
host that you specify in /etc/ntp/step-tickers. Therefore the section from
/etc/sysconfig/ipchains that deals with loncapa shoud look like:

-A input -s -d 0/0 123 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 8080 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 5663 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT

(this is the SFU case: = ntp.sfu.ca)
In principle 5663 only has to be accessible from loncapa servers. However,
configuring it that way would mean that your ipchains rules would get
quite long and you have to change it everytime a server is added. That
does not seem to be worth it. I have not seen any attacks on port 5663
therefore I currently regard the threat from leaving 5663 wide open to be
low (compared to ports 80 and 8080 anyway).


More information about the LON-CAPA-admin mailing list