• Home
• Blog
• About
• Gallery
• Map
• Resume

VMware ESX 3.5 ntpdate strangeness

We just noticed that the time was very far off on our sparkly new VMware EXS 3.5 server. When I went to run ntpdate to bring it up to sync, I was suprised to find that it could not make a connection to the time server because outbound UDP 123 traffic was blocked by the internal firewall.

Here is what I got:
/usr/sbin/ntpdate -u time.nist.gov
9 Apr 03:47:53 ntpdate[20245]: sendto(192.43.244.18): Operation not permitted
9 Apr 03:47:54 ntpdate[20245]: sendto(192.43.244.18): Operation not permitted
9 Apr 03:47:55 ntpdate[20245]: sendto(192.43.244.18): Operation not permitted
9 Apr 03:47:56 ntpdate[20245]: sendto(192.43.244.18): Operation not permitted
9 Apr 03:47:57 ntpdate[20245]: no server suitable for synchronization found

Normally I would just add a rule to the “/etc/sysconfig/iptables” file to allow traffic out on this port, but Vmware ESX server does not use iptables… It uses its own firewall, so I had to figure out how to change it. Happily, it turns out that there is a handy “esxcfg-firewall” command built just for such things.

Running this:
/usr/sbin/esxcfg-firewall -q | grep 123

12300 1803K valid-tcp-flags  tcp  --  *   *     0.0.0.0/0        0.0.0.0/0

Confirmed that UDP port 123 outbound was disallowed.

Running this opened it up:
/usr/sbin/esxcfg-firewall -e ntpClient

Grep out “123″ again just to be sure:
/usr/sbin/esxcfg-firewall -q | grep 123

1  76 ACCEPT  udp  --  *    *    0.0.0.0/0      0.0.0.0/0     udp dpt:123

And you can now run ntpdate to sync up the time:
/usr/sbin/ntpdate -u time.nist.gov
9 Apr 09:52:54 ntpdate[20319]: step time server 192.43.244.18 offset 21689.039217 sec

When Mac OSX SMB Connections Fail

Earlier today I had a problem with some Macs that could not establish SMB connections to our Windows File Server. There was no quick error, so the problem really “felt” like a firewall issue but strangely I was able to make a CLI connection to the file server using smbclient:
smbclient //server/share -U domain/username
Password:*******
Domain=[DOMAIN] OS=[Windows Server x] Server=[Windows Server x]
smb: \> exit


I started thinking that perhaps the Mac was doing NETBIOS name lookups and that nmbd might be knocking on the firewall. Turns out this was the problem. Opening up the following ports on the Windows File Server did the trick:

SMB uses ports:
UDP 137 (NETBIOS Name Service)
UDP 138 (NETBIOS Datagram Service)
TCP/UDP 139 (NETBIOS Session Service)

WARNING: Only open these ports to your trusted networks. Statistical data indicates that UDP ports 135 - 139 and TCP port 137 - 139 are amongst the most commonly scanned ports on remote computers.

Popular Posts

• Bash For loop Example (740)
• Fish Supposedly Washed Up By Asian Tsunami (577)
• Little Japanese Trucks (342)
• Spencer Tunick Photographs More Than 18000 Nudes In Mexico City (282)
• Why Did my Arm Fall Asleep? (277)
• How to copy a Solaris boot drive to a disk with a different partition layout (245)
• RHEL Winbind Authentication Against Active Directory (205)
• Solaris Disk Partition Layout & Mirroring Scripts (193)
• Foreach Example in tcsh (179)
• X11 Forwarding Broken on Solaris (176)
• Recovering From a Stuck Symantec Ghost Virtual Boot Partition (174)
• VMware ESX 3.5 ntpdate strangeness (161)
• Example LINUX init Script (154)
• When Mac OSX SMB Connections Fail (131)
• MIT Guide to Lock Picking - Table Of Contents (129)

Tags

advanced lock picking Adventures basic picking blog bounce pick corruption diving flatland funny government guide hacking howard dean howto humor Iraq key keys linux lock lock pick lock pick guide locks master keys mit pick picking torque pick pressure pin column model pins plug rebreather republican rhel scuba scuba diving series solaris storage sun technology tumblers unix video zen

Sponsored Links:

Copyright © 2004-2008 spiralbound.net · Log in