Bug 69192
Summary: | ntpd/ntpdate don't work behind a firewall | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | hjl | ||||||
Component: | ntp | Assignee: | Harald Hoyer <harald> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | Brian Brock <bbrock> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 7.3 | CC: | aleksey, redhat | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2002-08-15 10:55:40 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
hjl
2002-07-18 19:19:09 UTC
Also, ntpd/ntpdate should use the same port selection mechanism - currently ntp init script calls ntpdate with -u option and then ntpd used port 123 which requires (potentially) two different "holes" in the fw... My plan is 1. Change ntpdate not to use port 123 by default. 2. Change ntpd not to use port 123 to recieve NTP data by default. #1 should be easy. But #2 may be trickier. How would #2 interact with broadcast/multicast? Ok, don't do #2 if we are a broadcast/multicast client. ntpdate has the -u option for unpriviledged ports for #2 you should work with the ntp development team... NTPD runs quite well behind a firewall, if it is configured properly. What are you going to do about those of us running public NTP servers who only allow access to queries from source port 123? Changing a protocol that has been in existence for twenty years and works very well behind firewalls, is not a good idea, in my opinion. And all because people are running a firewall, but refuse to configure it to allow ntp replies. There is no security risk in allowing ntp access via port 123. I sent a patch to ntp. I will append it here. Created attachment 70944 [details]
A patch to avoid priviledged port
The ntp development group has rejected this patch as submitted. The ntp people don't take this as a serious problem and show little interests in it. On the other hand, I don't know much about ntp. I will upload a new patch in case other people are interested. Created attachment 71204 [details]
Another patch
|