Bug 55322 - NTP connections blocked by firewall
NTP connections blocked by firewall
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: ntp (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Harald Hoyer
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-10-29 12:50 EST by Carlo Graziani
Modified: 2007-04-18 12:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-11-20 04:34:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Carlo Graziani 2001-10-29 12:50:56 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.16-3 i686)

Description of problem:
The ipchains firewall that was set up by lokkit during the RH7.1
installation on my home machine blocks NTP (udp port 123) connections from
the ntp servers specified in /etc/ntp.conf.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Use lokkit to set up a "medium" firewall.  Verify in
/etc/sysconfig/ipchains that the rules REJECT udp connections to ports
0:1023
2. If ntpd is running, stop it for the purposes of this test
('/etc/rc.d/init.d/ntpd stop').
3. Attempt to synchronize system time to a remote NTP server using
'ntpdate' (e.g. 'ntpdate ntp-0.uchicago.edu')
	

Actual Results:  [root@tortellino sysconfig]# ntpdate ntp-0.uchicago.edu
29 Oct 11:35:46 ntpdate[19102]: no server suitable for synchronization
found


Expected Results:  [root@tortellino sysconfig]# ntpdate ntp-0.uchicago.edu
29 Oct 11:37:27 ntpdate[19249]: adjust time server 128.135.4.2 offset
0.010747 sec

Additional info:

It is easier and more immediate to do the test using 'ntpdate', but ntpd
also misbehaves, as may be seen by starting it on the command line with
'ntpd -d'.  In any event the effect is obvious.  If the firewall blocks udp
0:1023 (as lokkit-produced firewalls do by default), clearly the ntp
server's packets cannot get through to the client.

This situation is similar to the one that makes it necessary to punch the
DNS servers through the firewall in 'ifup-post'.  The fix should be
similar:  /etc/rc.d/init.d/ntpd should be edited so that the 'start' option
receives code analogous to the DNS-firewall code in 'ifup-post'.  The code
should read /etc/ntp.conf for 'server' lines and open up the firewall on
udp 123 to those servers.  The 'stop' option should reverse these firewall
changes.
Comment 1 Harald Hoyer 2001-12-14 08:30:00 EST
I do not want to modify the firewall s.o. set up... either one configures the 
firewall to allow ntp or not...

Note You need to log in before you can comment on or make changes to this bug.