Bug 69192

Summary: ntpd/ntpdate don't work behind a firewall
Product: [Retired] Red Hat Linux Reporter: hjl
Component: ntpAssignee: Harald Hoyer <harald>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: aleksey, redhat
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-08-15 10:55:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
A patch to avoid priviledged port
none
Another patch none

Description hjl 2002-07-18 19:19:09 UTC 
ntpd/ntpdate uses port 123 (NTP) to receive
data. It doesn't work with firewals which block
incoming data to port 123. I don't believe port
123 has to be used to recieve NTP data. It is
a regression from RedHat 7.1.
Comment 1 Aleksey Nogin 2002-07-18 19:26:20 UTC 
Also, ntpd/ntpdate should use the same port selection mechanism - currently ntp
init script calls ntpdate with -u option and then ntpd used port 123 which
requires (potentially) two different "holes" in the fw...
Comment 2 hjl 2002-07-18 19:30:59 UTC 
My plan is

1. Change ntpdate not to use port 123 by default.
2. Change ntpd not to use port 123 to recieve NTP data by default.

#1 should be easy. But #2 may be trickier.
Comment 3 Aleksey Nogin 2002-07-18 19:33:33 UTC 
How would #2 interact with broadcast/multicast?
Comment 4 hjl 2002-07-18 19:38:29 UTC 
Ok, don't do #2 if we are a broadcast/multicast client.
Comment 5 Harald Hoyer 2002-08-15 10:55:36 UTC 
ntpdate has the -u option for unpriviledged ports
Comment 6 Harald Hoyer 2002-08-15 11:02:55 UTC 
for #2 you should work with the ntp development team...
Comment 7 Dean K. Gibson 2002-08-15 19:37:17 UTC 
NTPD runs quite well behind a firewall, if it is configured properly.

What are you going to do about those of us running public NTP servers who only 
allow access to queries from source port 123?

Changing a protocol that has been in existence for twenty years and works very 
well behind firewalls, is not a good idea, in my opinion.  And all because 
people are running a firewall, but refuse to configure it to allow ntp 
replies.  There is no security risk in allowing ntp access via port 123.
Comment 8 hjl 2002-08-15 21:21:35 UTC 
I sent a patch to ntp. I will append it here.
Comment 9 hjl 2002-08-15 21:22:38 UTC 
Created attachment 70944 [details]
A patch to avoid priviledged port
Comment 10 Dean K. Gibson 2002-08-16 02:47:05 UTC 
The ntp development group has rejected this patch as submitted.
Comment 11 hjl 2002-08-16 17:13:15 UTC 
The ntp people don't take this as a serious problem and
show little interests in it. On the other hand, I don't
know much about ntp. I will upload a new patch in case
other people are interested.
Comment 12 hjl 2002-08-16 17:14:25 UTC 
Created attachment 71204 [details]
Another patch