xntpd's resolver code is extremely weird.
After reading the configuration file, xdntp forks. The parent is the
ntp daemon, and the child is the resolver. The child resolves the
hostnames from the ntp configuration file and uses the ntp protocol to
add time servers to the parent.
The problem you are seeing is that the ntp packet from the child can
come from any port so you must allow localhost:any -> localhost:ntp.
(I have no idea why xntpd doesn't use a pipe for its internal IPC.)
If you don't wish to allow this, use IP addresses in the ntp
configuration file.
If you do use hostnames, it is important to set up a keys file. xntpd
uses the key so that the parent can trust requests to add time servers
from the child. If you don't supply any keys, xntpd generates a key
itself. Since you are using Linux, it could use /dev/random, but
instead it uses a fundamentally broken algorithm - it feeds
getimeofday() into srand() and does 8 rounds of rand()%255.
Peter
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html