From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2.1) Gecko/20010901 Description of problem: Firewall settings of Red Hat Linux 7.2 are very restrictive. At firewall security levels "medium" and "high", port #123, which is the NTP default port, is blocked. "dateconfig" does not enable port #123 when "Enable Network Time Protocol" is selected. Version-Release number of selected component (if applicable): 0.7.4-6 How reproducible: Always Steps to Reproduce: 1. Launch "dateconfig" 2. Checkmark "Enable Network Time Protocol" and enter the name of some suitable time server. 3. Hit "Ok". Actual Results: NTP should work ... . Expected Results: It doesn't work nor does "ntpdate" allow to synchronize the system clock (the latter after stopping "ntpd" of course). Additional info: 1. NTP used to work on Roswell 2 with firewall security level "medium". 2. After enabling port #123 manually, NTP works properly.
There never was any code in dataconfig to open any ports, so are you sure that Roswell 2 allowed access to port 123 with a firewall setting of "Medium"? But yes, you are right that dateconfig doesn't modify the firewall settings. Other config tools are the same way, such as serviceconf.
"dateconfig" certainly never modified any port settings, but before the advent of Red Hat Linux 7.2, this was simply not necessary, because basic services such as incoming "ssh" or NTP worked as of Roswell 2 and earlier when firewall level "medium" was chosen. Now, one has the choice between having no firewall at all, which is certainly no good idea (!), and having to tweak individual ports when firewall levels "medium" or "high" are chosen. Under these circumstances, "dateconfig" -should- enable port #123. Otherwise, the innocent user, having checkmarked "Enable Network Time Protocol" is wondering, why NTP does not work, which is not surprising as it cannot query any remote time server! According to my observations, the firewall settings of Red Hat Linux 7.2 are much more severe than before, thus blocking essential system services. As a consequence, the Red Hat system configuration tools should take this into account when setting up services.
It may be true that the "Medium" firewall settings for 7.2 are more strict than 7.1. I can't say for sure. I do agree that it would be nice for the config tools to be able to detect if the services they are configuring are blocked by the firewall rules. However, this would require that we have a nice way to query the firewall rules, which we don't currently have. If the user has made customized firewall rules, then trying to figure out which ports are blocked and which aren't can get complicated very quickly. This type of call need to be in a library so that each config tool doesn't have to implement this separately. In other words, it requires more work than we can do at the moment. As for the default firewall rules changing, anaconda just calls 'gnome-lokkit --medium' to set the security level. If the settings have changed between 7.1 and 7.2, then the gnome-lokkit maintainer will know. Changing components to gnome-lokkit.
I have the same complaint. If you're going to have a friendly checkbox, it should work. At least, it should test the port and pop up a warning. Otherwise this friendly GUI checkbox for enabling ntp just leads the user down the wrong path, and wastes (not saves) time. I enabled the checkbox and got in the log: Apr 17 08:25:17 hardhat ntpd[2251]: ntpd 4.1.0 Wed Sep 5 06:54:30 EDT 2001 (1) Apr 17 08:25:17 hardhat ntpd: ntpd startup succeeded Apr 17 08:25:17 hardhat ntpd[2251]: precision = 18 usec Apr 17 08:25:17 hardhat ntpd[2251]: kernel time discipline status 0040 Apr 17 08:25:17 hardhat ntpd[2251]: getnetnum: "time.nist.gov" invalid host number, line ignored Apr 17 08:25:17 hardhat ntpd[2251]: Un-parsable frequency in /etc/ntp/drift Apr 17 08:25:17 hardhat ntpd[2251]: bind() fd 9, family 2, port 123, addr 224.0.1.1, in_classd=1 flags=0 fails: Address already in use Apr 17 08:25:17 hardhat ntpd[2251]: ...multicast address 224.0.1.1 using wildcard socket
This is done by the ntp script now. Should be working.