Bug 68039 – firewall makes ntp setup useless

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 68039 - firewall makes ntp setup useless

Summary:	firewall makes ntp setup useless

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Red Hat Public Beta
Classification:	Retired
Component:	redhat-config-date (Show other bugs)
Sub Component:
Version:	limbo
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Brent Fox
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2002-07-05 13:47 EDT by Markku Kolkka
Modified:	2008-05-01 11:38 EDT (History)
CC List:	0 users

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2002-08-29 01:22:06 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Markku Kolkka 2002-07-05 13:47:56 EDT

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020625

Description of problem:
Firstboot gives the user a possibility to configure the ntp service, but the
standard firewall blocks ntp in Medium or High levels if the user doesn't know
to customize it to allow udp:ntp.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Install system
2.At first boot when the configuration utility runs, set firewall to Medium or
High, and and choose a ntp server. 
3.
	

Actual Results:  ntp can't connect to the time server

Expected Results:  configuration utility should open firewall for the selected
ntp server or connection tracking should be used so ntp would work.

Additional info:

Comment 1 Brent Fox 2002-07-11 12:45:18 EDT

This screen is actually dateconfig.  The UI is just pulled into the firstboot
window.

Comment 2 Brent Fox 2002-07-11 13:37:40 EDT

Here's the problem.  We don't have a real firewall API at the moment, so it's
hard to tell exactly what the firewall is set to, and I'm reluctant to have
dateconfig poke a hole in the firewall without telling the user what is happening.

I've made some recent changes to dateconfig that check to see if we can ping the
ntp server before starting ntpd.  If the server cannot be contacted, then a
dialog appears telling the user the either the specified server isn't available
or the firewall is blocking ntp connections.

This isn't a perfect situation, but it is at least an improvement.

Comment 3 Tammy Fox 2002-07-11 23:57:04 EDT

I added a warning in the docs telling how to use redhat-config-securitylevel to
allow connections through the NTP port.

Comment 4 Brent Fox 2002-08-01 16:26:37 EDT

QA, please verify that redhat-config-date-1.4-7 informs the user if the server
cannot be contacted.  As I said earlier, I don't think that it's the correct
thing for redhat-config-date to modify the user's firewall settings, so I'm not
going to implement that at this point.

Comment 5 Jay Turner 2002-08-05 13:21:50 EDT

With redhat-config-date-1.4-7, I'm getting a failure to sync with the timeserver
in the case detailed above.  I'm not getting any type of message that the config
tool is unable to contact the timeserver.

Comment 6 Brent Fox 2002-08-06 23:25:29 EDT

Can you demonstrate this behavior for me?

Comment 7 Brent Fox 2002-08-11 09:54:27 EDT

ping?

Comment 8 Jay Turner 2002-08-12 15:37:38 EDT

OK, what I'm seeing is that if you provide a valid host (time.nist.gov for
example) but your firewall rules are preventing traffic on port 123 (ntpd) then
the sync is failing, but the user is never notified that the sync failed.

Comment 9 Brent Fox 2002-08-26 12:16:18 EDT

Should be fixed in 1.5.2-5.  Please verify.

Comment 10 Jay Turner 2002-08-27 23:52:41 EDT

Here's what I'm seeing with redhat-config-date-1.5.2-5.  When running firstboot
with the 'high'security level and entering an invalid host, I'm getting a
message informing me of that.  If, when running firstboot, I enter a valid host,
but am unable to connect to it as a result of the iptables rules, I am not
getting a message informing me of that.  The sync just fails.  

Now, if I run redhat-config-date stand-alone, then I don't get a message either
way.  So, still looks like some things need to be cleared up.

Comment 11 Brent Fox 2002-08-29 01:21:59 EDT

I think you need to update your ntp.  The latest ntp package should use the
initscript to poke a hole in the firewall, so the firewall settings should never
be able to keep the ntp sync from succeeding.

Comment 12 Jay Turner 2002-08-30 08:57:25 EDT

Fix confirmed with ntp-4.1.1a-7.

Note You need to log in before you can comment on or make changes to this bug.