Bug 132539 - SuSEfirewall2 cannot be used with ntpd
Summary: SuSEfirewall2 cannot be used with ntpd
Status: RESOLVED INVALID
Alias: None
Product: SUSE LINUX 10.0
Classification: openSUSE
Component: Security (show other bugs)
Version: RC 4
Hardware: Other Other
: P5 - None : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-11-07 12:43 UTC by Berthold Gunreben
Modified: 2005-11-07 15:54 UTC (History)
1 user (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Berthold Gunreben 2005-11-07 12:43:26 UTC 
when SuSEfirewall2 is running and ntpd tries to use ipv6 addresses, ntp stays in .INIT mode and does not run properly. Lots of error messages like 

 7 Nov 13:32:05 ntpd[5182]: sendto(2001:780:101:0:209:6bff:fe00:3633): Operation not permitted

appear in /var/log/ntp, and ntpq -p gives something like:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 idun.suse.de    .INIT.          16 u    - 1024    0    0.000    0.000 4000.00
 thor.suse.de    .INIT.          16 u    - 1024    0    0.000    0.000 4000.00
 hermes.suse.de  .INIT.          16 u    - 1024    0    0.000    0.000 4000.00
Comment 1 Ludwig Nussel 2005-11-07 15:54:12 UTC 
Well, ip6tables only supports state matching on sles9/9.1. If state matching is not available SuSEfirewall2 is only able to install a very limited set of rules. It will magically start to work if you have a kernel with ip6tables state matching. Until someone ports that to our kernel again (it was decided that v6 support is not important enough for the box) you may set FW_IPv6=no to prevent SuSEfirewall2 from installing any v6 rules at all.