Ubuntu
ntp package

ntpq: write to localhost failed: Operation not permitted with no firewall enabled

Asked by Bas van den Dikkenberg

Binary package hint: ntp

After install of ntp an i do ntpq -p i get the error

ntpq: write to localhost failed: Operation not permitted

After searching the internet a saw i could be a firewall isue i check that flushing my iptables and ip6table so disabling the firewall but problem stil excists.

After that i did a compleet remove of ntp and ntpdate with apt-get remove --purge ntpdate ntp and remove de ntp user and group

then did fresh install of ntp, but still the same problem

WIth kind regards,

Bas van den Dikkenberg

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu ntp Edit question
Assignee:
No assignee Edit question
Solved by:
Bas van den Dikkenberg
Solved:
Last query:
Last reply:

This question was originally filed as bug #596492.

Revision history for this message
RoyK (roysk) said : 		#1

just tested on 8.04 and 10.04, both with ufw enabled, and it works fine. Please detail your setup. Can it be ntp.conf has some new and interesting parts?

Revision history for this message
Bas van den Dikkenberg (bas-dikkenberg) said : 		#2

i am running 9.10

the ntp conf

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).
server ntp1.bit.nl
server ntp2.bit.nl
server 172.31.1.254

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

Revision history for this message
Jamie Strandboge (jdstrand) said : 		#3

Bas,

Can you look in /var/log/kern.log and see if you have an AppArmor debied errors after running your ntpq command? If so, please post them here. Thanks.

Revision history for this message
Bas van den Dikkenberg (bas-dikkenberg) said : 		#4

Jamie,

no apparmor messages

if you wish i can grand you ssh access to the system ?

Bas

Revision history for this message
Bas van den Dikkenberg (bas-dikkenberg) said : 		#5

the seems to be a firewall isue any way sorry for the inconfinience

these 2 line 's where the bad guys in the firewall

       $IP6TABLES -A OUTPUT -s ::0.0.0.0/104 -j DROP
       $IP6TABLES -A OUTPUT -d ::0.0.0.0/104 -j DROP
       $IP6TABLES -A OUTPUT -s ::0.0.0.0/96 -j DROP
       $IP6TABLES -A OUTPUT -d ::0.0.0.0/96 -j DROP

sorry for the inconfiniens

Revision history for this message
Bas van den Dikkenberg (bas-dikkenberg) said : 		#6

It was not a bug, but a config error in FW script

these rules where excuted af te start

       $IP6TABLES -A OUTPUT -s ::0.0.0.0/104 -j DROP
       $IP6TABLES -A OUTPUT -d ::0.0.0.0/104 -j DROP
       $IP6TABLES -A OUTPUT -s ::0.0.0.0/96 -j DROP
       $IP6TABLES -A OUTPUT -d ::0.0.0.0/96 -j DROP

Revision history for this message
Bas van den Dikkenberg (bas-dikkenberg) said : 		#7

af ther fixing this isue problem was solved

we now also added a line at start of our firewall so localhost trafic always works

        # Allow unlimited access to loopback
        $IP6TABLES -A INPUT -i lo -j ACCEPT