Bug 106756 - ntpd startup script does not create firewall holes reliably
ntpd startup script does not create firewall holes reliably
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: ntp (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-10-10 06:03 EDT by Ralph Billes
Modified: 2007-04-18 12:58 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-10-24 10:15:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ralph Billes 2003-10-10 06:03:23 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021207
Phoenix/0.5

Description of problem:
Time servers in /etc/ntp.conf with "127" anywhere in their IP address and peers
without parameters do not have firewall holes made for them by the
/etc/rc.d/init.d/ntpd startup script. Consequently these timeservers and peers
are never contacted.


An /etc/ntp.conf fragment:

#server ntp.adelaide.edu.au
restrict 129.127.40.3 mask 255.255.255.255 nomodify notrap noquery
server 129.127.40.3

#server ntp.iprimus.com.au
restrict 203.134.65.66 mask 255.255.255.255 nomodify notrap noquery
server 203.134.65.66

# Allow synchronisation with our peer servers also
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap noquery
peer 192.168.0.60
peer 192.168.0.61
peer 192.168.0.62
peer 192.168.0.63


Version-Release number of selected component (if applicable):
ntp-4.1.2-0.rc1.2

How reproducible:
Always

Steps to Reproduce:
1.Set firewall security level to high.
2.Add the fragment above to the etc/ntp.conf file.
3.Run "service ntpd restart"
    

Actual Results:  # service ntpd restart
ntpd: Removing firewall opening for 203.134.65.66 port 123 [  OK  ]
Shutting down ntpd:                                        [  OK  ]
ntpd: Opening firewall for input from 203.134.65.66 port 12[  OK  ]
Starting ntpd:                                             [  OK  ]


Expected Results:  # service ntpd restart
ntpd: Removing firewall opening for 129.127.40.3 port 123  [  OK  ]
ntpd: Removing firewall opening for 203.134.65.66 port 123 [  OK  ]
ntpd: Removing firewall opening for 192.168.0.60 port 123  [  OK  ]
ntpd: Removing firewall opening for 192.168.0.61 port 123  [  OK  ]
ntpd: Removing firewall opening for 192.168.0.62 port 123  [  OK  ]
ntpd: Removing firewall opening for 192.168.0.63 port 123  [  OK  ]
Shutting down ntpd:                                        [  OK  ]
ntpd: Opening firewall for input from 129.127.40.3 port 123[  OK  ]
ntpd: Opening firewall for input from 203.134.65.66 port 12[  OK  ]
ntpd: Opening firewall for input from 192.168.0.60 port 123[  OK  ]
ntpd: Opening firewall for input from 192.168.0.61 port 123[  OK  ]
ntpd: Opening firewall for input from 192.168.0.62 port 123[  OK  ]
ntpd: Opening firewall for input from 192.168.0.63 port 123[  OK  ]
Starting ntpd:                                             [  OK  ]


Additional info:

A quick patch to /etc/init.d/ntpd.conf to fix the problem:

Sorry about the line wrapping. Pity a file can't be attached here.

$ rcsdiff -C2 -r1.1 ntpd
===================================================================
RCS file: ntpd,v
retrieving revision 1.1
diff -C2 -r1.1 ntpd
*** ntpd        2003/10/02 08:06:58     1.1
--- ntpd        2003/09/26 00:56:22
***************
*** 43,52 ****
            tickers=`/bin/sed -e 's/\#.*$//g' $ntpstep`
          fi
        timeservers=`/bin/sed \
!                  -n -e 's/\#.*$//;/127.*/d' \
                   -e 's/^[[:blank:]]*server[[:blank:]][[:blank:]]*\(.*\)/\1/p' \
                   -e
's/^[[:blank:]]*server[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \
!                  -e
's/^[[:blank:]]*peer[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \
                   $ntpconf`
  
        # check for -x
--- 43,59 ----
            tickers=`/bin/sed -e 's/\#.*$//g' $ntpstep`
          fi
+ # Fix sed expression to allow addresses with 127 in them and peer commands
with parameters
        timeservers=`/bin/sed \
!                  -n -e 's/\#.*$//;/127.0.0.1*/d' \
                   -e 's/^[[:blank:]]*server[[:blank:]][[:blank:]]*\(.*\)/\1/p' \
                   -e
's/^[[:blank:]]*server[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \
!                  -e 's/^[[:blank:]]*peer[[:blank:]][[:blank:]]*\(.*\)/\1/p' \
                   $ntpconf`
+ #     timeservers=`/bin/sed \
+ #                 -n -e 's/\#.*$//;/127.*/d' \
+ #                 -e 's/^[[:blank:]]*server[[:blank:]][[:blank:]]*\(.*\)/\1/p' \
+ #                 -e
's/^[[:blank:]]*server[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \
+ #                 -e
's/^[[:blank:]]*peer[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \
+ #                 $ntpconf`
  
        # check for -x
***************
*** 110,117 ****
            tickers=`/bin/sed -e 's/\#.*$//g' $ntpstep`
          fi
        timeservers=`/bin/sed \
!                  -n -e 's/\#.*$//;/127.*/d' \
                   -e 's/^[[:blank:]]*server[[:blank:]][[:blank:]]*\(.*\)/\1/p' \
                   $ntpconf`
  
          # Remove the firewall opening for ntp
--- 117,131 ----
            tickers=`/bin/sed -e 's/\#.*$//g' $ntpstep`
          fi
+ # Fix sed expression to allow addresses with 127 in them and peer commands
with parameters
        timeservers=`/bin/sed \
!                  -n -e 's/\#.*$//;/127.0.0.1*/d' \
                   -e 's/^[[:blank:]]*server[[:blank:]][[:blank:]]*\(.*\)/\1/p' \
+                  -e
's/^[[:blank:]]*server[[:blank:]]+\([[:alnum:].]+\)[[:blank:]]*.*/\1/p' \
+                  -e 's/^[[:blank:]]*peer[[:blank:]][[:blank:]]*\(.*\)/\1/p' \
                   $ntpconf`
+ #     timeservers=`/bin/sed \
+ #                 -n -e 's/\#.*$//;/127.*/d' \
+ #                 -e 's/^[[:blank:]]*server[[:blank:]][[:blank:]]*\(.*\)/\1/p' \
+ #                 $ntpconf`
  
          # Remove the firewall opening for ntp

Note You need to log in before you can comment on or make changes to this bug.