RE: NTP & reflexive access list

From: Vladimir Litovka (doka@kiev.sovam.com)
Date: Wed Feb 27 2002 - 12:46:04 EST


On Wed, 27 Feb 2002, Shi, Ning wrote:

> After a quick research, I think the problem might be the ntp config. ntp is
> working in symmetric mode in your case. So the external NTP server might
> send you the update without any request initiated by your router. This will
> be blocked by the ACL.

 It seems, that locally generated packets don't pass through ACL. I've
 tested this with DNS queries - there is same result - corresponding rules
 didn't put in the reflexive list. So, it is need to allow router's
 activity in usual lists and I've change 'IN' to:

ip access-list extended IN
 permit udp host <ntp-server> eq ntp host <localhost> eq ntp
 permit udp host <domain-server> eq domain host <localhost>
 evaluate OUT-reflect
 [ ... ]
 deny ip any any log

 and this works fine.

-- 
:r !ripewhois DOKA1-RIPE
-------------------------------------------------------------------------
Never try to teach a pig to sing. It wastes your time and annoys the pig.
                -- Lazarus Long, "Time Enough for Love"



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:34 EDT