A few days ago I tried to use netselect to find the best ntp servers for my location. I didn't get anything back from it. When looking at the forums to see if I could find more information about this I found a thread where others are reporting the same problem. http://forums.gentoo.org/viewtopic-t-358575-highlight-.html I also tried a few other things and when I do a netselect -s1 -vv <server list> I do get more information. Specifically that netselect is timimng out and can't find the servers. I was getting this: ntp1.sf-bay.org 9999 ms 30 hops 0% ok for every server. In my case <server list> only contained servers that I was able to ping. Here is my emerge --info Portage 2.1.1-r1 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 x86_64) ================================================================= System uname: 2.6.17-gentoo-r8 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4800+ Gentoo Base System version 1.12.5 Last Sync: Sun, 08 Oct 2006 19:30:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.2.11-r1 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ " MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X a52 aac aalib ada alsa berkdb bitmap-fonts cdr cli crypt cups divx dlloader dri dvd elibc_glibc fortran gdbm gif gpm hal imagemagic input_devices_keyboard input_devices_mouse ipv6 isdnlog jpeg jpeg2k kde kernel_linux lcms libg++ ncurses nls nptl nptlonly nsplugin ogg opengl oss pam pcre perl png ppds pppd python qt readline reflection samba session smp speex spell spl ssl tcpd threads tiff truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_nvidia vorbis xinerama xorg xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
for me it is working for ntp1.sf-bay.org : netselect -vv ntp1.sf-bay.org Running netselect to choose 1 out of 1 address. ............ ntp1.sf-bay.org 149 ms 17 hops 100% ok (10/10) [ 402] 402 ntp1.sf-bay.org It can be a firewall problem. As it is explain in the README netselect don't send ICMP message but UDP packets with "random-guess" TTL values.
I checked my firewall (I have an external hardware firewall/router) and the only UDP ports I had open were for ntp (port 123). Looking in the netselect README I could not find what UDP port(s) it uses. So I opened all available UDP ports both in and out as a test and netselect still failed in exactly the same way. The strange thing is that this worked not that long ago as I had used it to select gentoo mirrors the last time I did a Gentoo install in July. But that was the last time I had used netselect until I installed ntp on a fresh Gentoo install the other day. My firewall configuration was exactly the same in July as it is today. Is there anything else I can try?
what is the output of : netselect -vvv ntp1.sf-bay.org
$ netselect -vvv ntp1.sf-bay.org Running netselect to choose 1 out of 1 address. ntp1.sf-bay.org - TIMEOUT ntp1.sf-bay.org - TIMEOUT ntp1.sf-bay.org - TIMEOUT ntp1.sf-bay.org - TIMEOUT ntp1.sf-bay.org - TIMEOUT ntp1.sf-bay.org - TIMEOUT ntp1.sf-bay.org 9999 ms 30 hops 0% ok
It looks like the UDP packets are block because you have timeout
When I check my router/firewall logs I find something interesting. It appears that I am getting back ICMP packets from the ntp server and these are being blocked by my firewall. Here are the messages in my firewall/router log: Oct/09/2006 13:30:05 Drop ICMP packet from WAN 192.83.249.28:3 xx.xx.xxx.xxx:3 Rule: Default deny Oct/09/2006 13:30:01 Drop ICMP packet from WAN 192.83.249.28:3 xx.xx.xxx.xxx:3 Rule: Default deny Oct/09/2006 13:29:58 Drop ICMP packet from WAN 192.83.249.28:3 xx.xx.xxx.xxx:3 Rule: Default deny 192.83.249.28 is ntp1.sf-bay.org and xx.xx.xxx.xxx is the address of my router (I changed this to hide my address). So it appears that my router/firewall is blocking some of the return packets. What I don't understand is if netselect is sending UDP packets why aren't the return packets also UDP? I drop all ping packets from the WAN at the firewall so this could affect ICMP packets. I turned this off and it didn't make any difference. The messages are still showing up in the firewall/router log and netselect times out. I think the :3 after the address means that this is using port 3.
So it is clear that the problem comes from your firwall. I think this bug can be closed.
I am not sure about the source of the problem. It could be the firewall or it could be something else. But at this point I think closing this is OK. I will get a packet sniffer installed and do some more testing to see if I can get a better handle on what is happening.
As explain above, it must be a firewall problem
