Package: ntp Version: 1:4.2.4p4+dfsg-2 Severity: important I just ran into the following situation: I started NTP before OpenVPN and it set up a peer from the machine's public IP 1.2.3.4 to the NTP server's IP, 9.8.7.6.
I then started OpenVPN, which added a route for 9.0.0.0/8 via the VPN server, using 10.9.8.0/24 as the VPN network/mask. Now I started seeing the following in the VPN server's logs: ovpn-foobar[12466]: foobar.madduck.net/1.2.3.4:36393 MULTI: bad source address from client [1.2.3.4], packet dropped for every packet ntpd sends. The reason is simply that ntpd somehow hardcodes 1.2.3.4 as the source address for packets, which it then hands to the kernel for routing. In this case, the route changed, and a new source address would have to be used (10.9.8.123), but ntpd stubbornly continues to stamp outgoing packets with the source address that was used at the time the process started. It really should leave this up to the kernel. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.22-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ntp depends on: ii adduser 3.105 add and remove users and groups ii libc6 2.7-4 GNU C Library: Shared libraries ii libcap1 1:1.10-14 support for getting/setting POSIX. ii libreadline5 5.2-3 GNU readline and history libraries ii libssl0.9.8 0.9.8g-3 SSL shared libraries ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip ii netbase 4.30 Basic TCP/IP networking system Versions of packages ntp recommends: ii perl 5.8.8-12 Larry Wall's Practical Extraction -- no debconf information -- .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, author, administrator, and user `. `'` http://people.debian.org/~madduck - http://debiansystem.info `- Debian - when you have better things to do than fixing systems
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
