Bug 68039
| Summary: | firewall makes ntp setup useless | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Public Beta | Reporter: | Markku Kolkka <markku.kolkka> |
| Component: | redhat-config-date | Assignee: | Brent Fox <bfox> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | limbo | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2002-08-29 05:22:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Markku Kolkka
2002-07-05 17:47:56 UTC
This screen is actually dateconfig. The UI is just pulled into the firstboot window. Here's the problem. We don't have a real firewall API at the moment, so it's hard to tell exactly what the firewall is set to, and I'm reluctant to have dateconfig poke a hole in the firewall without telling the user what is happening. I've made some recent changes to dateconfig that check to see if we can ping the ntp server before starting ntpd. If the server cannot be contacted, then a dialog appears telling the user the either the specified server isn't available or the firewall is blocking ntp connections. This isn't a perfect situation, but it is at least an improvement. I added a warning in the docs telling how to use redhat-config-securitylevel to allow connections through the NTP port. QA, please verify that redhat-config-date-1.4-7 informs the user if the server cannot be contacted. As I said earlier, I don't think that it's the correct thing for redhat-config-date to modify the user's firewall settings, so I'm not going to implement that at this point. With redhat-config-date-1.4-7, I'm getting a failure to sync with the timeserver in the case detailed above. I'm not getting any type of message that the config tool is unable to contact the timeserver. Can you demonstrate this behavior for me? ping? OK, what I'm seeing is that if you provide a valid host (time.nist.gov for example) but your firewall rules are preventing traffic on port 123 (ntpd) then the sync is failing, but the user is never notified that the sync failed. Should be fixed in 1.5.2-5. Please verify. Here's what I'm seeing with redhat-config-date-1.5.2-5. When running firstboot with the 'high'security level and entering an invalid host, I'm getting a message informing me of that. If, when running firstboot, I enter a valid host, but am unable to connect to it as a result of the iptables rules, I am not getting a message informing me of that. The sync just fails. Now, if I run redhat-config-date stand-alone, then I don't get a message either way. So, still looks like some things need to be cleared up. I think you need to update your ntp. The latest ntp package should use the initscript to poke a hole in the firewall, so the firewall settings should never be able to keep the ntp sync from succeeding. Fix confirmed with ntp-4.1.1a-7. |