[Dnsmasq-discuss] dnasmasq/ntp/shorewall conandrum: can't make clients query locally ...

Johannes Graumann johannes_graumann at web.de
Sat Feb 28 16:53:58 GMT 2015


Hello,

I'm running a debian firewall that uses dnsmasq to provide dhcp to the local 
subnets, firewalls usng shorewall and has ntpd running to locally serve time 
as well.

The relevant (according to me) config options look as follows:
1) /etc/dnsmasq.conf
bogus-priv
interface=eth1
interface=eth2
domain=<MYDOMAIN>
dhcp-range=10.10.0.0,255.255.0.0,static
# One of many hosts
dhcp-host=f0:da:f3:c4:59:b7,68:d8:19:ab:b3:c9,onemachine,10.10.1.2,2h
dhcp-option=42,10.10.1.1

2) /etc/shorwall/rules
# Accept pwln networ access to $FW as ntp server
NTP(ACCEPT)     pwln            $FW

3) /etc/ntp.conf
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst
restrict default nopeer nomodify notrap noquery
restrict 127.0.0.1
restrict 10.10.0.0 mask 255.255.0.0

Despite all this, my logs get flooded with things like this:
> Feb 28 18:02:52 morannon kernel: [241886.597125]
> Shorewall:pwln2net:REJECT:IN=eth1 OUT=eth0
> MAC=00:00:24:d0:62:dd:00:0d:b9:1a:85:b4:08:00 SRC=10.10.1.70
> DST=194.27.44.55 LEN=76 TOS=0x10 PREC=0x00 TTL=63 ID=4016 DF PROTO=UDP
> SPT=50658 DPT=123 LEN=56

Which I interpret as 10.10.1.70 NOT heeding the NTP proposal (supposedly) 
served by dnsmasq and trying to get time from outside (destination port 
(DPT) 123 = NTP).

What may be going on? Anything obvious I'm screwing up?

Sincerely, Joh
 




More information about the Dnsmasq-discuss mailing list