Red Hat Bugzilla – Bug 72398
firstboot ntp option should be greyed out if high firewall picked in install
Last modified: 2005-10-31 17:00:50 EST
GUI install of (null) personal desktop. Firewall options in installer left as high. First boot is offering me the chance to start ntp running. I don't think this will work, will it..? I think it should be greyed out if UDP traffic is being dropped, if this is possible.
I selected High during install, during firstboot I selected to use ntp and selected terrapin.csc.ncsu.edu for the server, and now it's hung (has been for 9 minutes as I write this). The firstboot is "locked" (switching to a text vt and then back, the firstboot dialog isn't redrawing). Since I have no shell to do anything else, I'm going to have to reboot, but ctl-alt-del isn't working on vt1 (is that not configured for init by default on the first boot?). Ack - power cycle time. ok, on second try, i left ntp turned off and firstboot ran fine. I could be mistaken, but isn't ip_conntrack supposed to handle associating udp as well (it has for me in the past with things like quake3, also udp based). I know it's major role is in the ESTABLISHED,RELATED state stuff, but maybe just modprobe'ing ip_conntrack (i don't see a module specific for udp) or perhaps just installing a rule to enable UDP NTP traffic from the selected server (*before* attempting the actual ntp action :) would suffice? Actually, that makes more sense - whichever server is selected should have an iptables rule added on the spot and then a "service iptables save" (or whatever route) to make that more permanent since in the case where ip_conntrack can't associate the outgoing ntp request and an incoming response (which I *think* it can do, but I could be mistaken), this rule will be needed long-term. Course, if there are config program code paths that can change the ntp server, they'll need this iptables logic as well, I'd imagine, to remove the old one(s) and add the new one(s) At least, this is all AFAICT of course
forgot to restate that since the later stage of RHN registration worked fine, there's no issue about "was networking working" - the "hung" state of the NTP attempt is 99% likely due to the High firewalling selection during the install.
The initscript for ntp4.1.1a-7 will now poke a hole in the firewall to allow NTP connections to pass through. QA, please verify.
verified ... this should be closed
Can this be re-opened? I am seeing this with Fedora Core Test 3 and Fedora Core 1. I had the default firewall enabled (with SSH opened), and then I tried to enable clock synchronization in Firstboot. Fedora core hung for 30 minutes. I had to restart my computer, and not choose that option to continue.