Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 6645 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NTP is sometimes blocked

solae
I have an UTM Hot-Standby Cluster on a performant ESXi Server.

I'm getting about 2-5 NTP requests per second because I'm part of the ntp.org community.
There's a NAT roule From Any -> NTP -> External Address --> Internal Address -> NTP so the NTP Packets are being logged in the Firewall log.
The NTP Services is allowed from any(IPv4/IPv6), I also added a Rule for Any -> NTP -> Any, but i think this should not be necessary for external requests.

But sometimes (1-5 times a minutes) i see blocked NTP packages to my Internal address?! Why? Is the NTP Services of the UTM not fast enough?

btw: 10.19.1.1 is my Internal Address

Michael


This thread was automatically locked due to age.
  • 0
    Hi,

    1. you do need a firewall rule for incoming requests, unless you have the 'auto firewall rule' checked on the DNAT.
    Even then, you still need a rule for outgoing requests if you are connecting to tier1 NTP servers

    2. please post lines from the full firewall log, not the live log.

    3. you should also check the IPS and app control logs.

    Barry
  • 0
    Hi Barry

    Here some RAW Loglines from the Errors:

    2013:11:14-00:00:11 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="46.xx.246.153" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="52" srcport="3" dstport="123" 
    2013:11:14-00:00:11 fw01-1 ulogd[8624]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="46.xx.246.153" dstip="10.19.1.1" proto="17" length="76" tos="0x00" prec="0x00" ttl="52" srcport="3" dstport="123" 

    2013:11:14-00:02:49 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="46.yy.147.74" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="1" dstport="123" 
    2013:11:14-00:02:49 fw01-1 ulogd[8624]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="46.yy.147.74" dstip="10.19.1.1" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="1" dstport="123" 

    2013:11:14-06:59:19 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="109.zz.213.234" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="115" srcport="103" dstport="123" 
    2013:11:14-06:59:19 fw01-1 ulogd[8624]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="109.zz.213.234" dstip="10.19.1.1" proto="17" length="76" tos="0x00" prec="0x00" ttl="115" srcport="103" dstport="123" 

    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="212.vv.14.7" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="65" dstport="123"
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="212.vv.14.7" dstip="10.19.1.1" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="65" dstport="123" 


    And the lines that are ok:

    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.168.149" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="54" srcport="43690" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.136.28" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="54" srcport="55297" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.167.17" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="54" srcport="43469" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="84.yy.151.171" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="52" srcport="123" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.140.159" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="54" srcport="59173" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="82.xx.160.132" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="53" srcport="53387" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="124.zz.36.158" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="52" srcport="123" dstport="123" 
    2013:11:14-07:00:03 fw01-1 ulogd[8624]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62029" initf="eth5" srcmac="c4:7d:4f:bd:6:40" dstmac="0:c:29:67:63:a9" srcip="212.vv.28.38" dstip="178.22.107.123" proto="17" length="76" tos="0x00" prec="0x00" ttl="55" srcport="20929" dstport="123



    EDIT: I noticed that all dropped Packets were sent from a Source Port lower than 123. There are no blocked Packets when Port 123 or higher is used.

    Also there are no "accept" logline for good packets, i think this is because the NTP Service of the UTM is used. Could it be, that the NTP Service itself does not accept NTP Packages with a sourceport lower than 123?

    Michael
  • 0
    It's not an issue here, but see #5 in https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22065.

    Why have "Any" in 'Allowed networks' for NTP?  At most, you should have your LANs and VPN Pools in there.  Disable it and test again.  Any luck?

    Cheers - Bob
  • 0
    Hi Bob, i've tried with no Service in the Destination, makes no difference.
    I've allowed NTP Public because i'm in the pool.ntp.org.

    I now have solution: I made a second rule for "Any --> NTP --> Internal Address. Now the the connections which have been blocked before, are now granted.

    But why is this only for Connections with source-Port lower than 123?
    And why are this connections not granted by rule 32?
  • 0
    Hi, if you're running a public NTP server, I'm not sure you should be using the NTP 'proxy' on the UTM.

    Is "DMZ0 address" the firewall interface address, or a server in the DMZ?

    Barry
  • 0
    The DMZ0 address is the UTM itself, the DNAT is used just for logging the requests.
    Why not the UTM as a NTP Server?