From Bugzilla Helper: User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.16-3 i686) Description of problem: The ipchains firewall that was set up by lokkit during the RH7.1 installation on my home machine blocks NTP (udp port 123) connections from the ntp servers specified in /etc/ntp.conf. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.Use lokkit to set up a "medium" firewall. Verify in /etc/sysconfig/ipchains that the rules REJECT udp connections to ports 0:1023 2. If ntpd is running, stop it for the purposes of this test ('/etc/rc.d/init.d/ntpd stop'). 3. Attempt to synchronize system time to a remote NTP server using 'ntpdate' (e.g. 'ntpdate ntp-0.uchicago.edu') Actual Results: [root@tortellino sysconfig]# ntpdate ntp-0.uchicago.edu 29 Oct 11:35:46 ntpdate[19102]: no server suitable for synchronization found Expected Results: [root@tortellino sysconfig]# ntpdate ntp-0.uchicago.edu 29 Oct 11:37:27 ntpdate[19249]: adjust time server 128.135.4.2 offset 0.010747 sec Additional info: It is easier and more immediate to do the test using 'ntpdate', but ntpd also misbehaves, as may be seen by starting it on the command line with 'ntpd -d'. In any event the effect is obvious. If the firewall blocks udp 0:1023 (as lokkit-produced firewalls do by default), clearly the ntp server's packets cannot get through to the client. This situation is similar to the one that makes it necessary to punch the DNS servers through the firewall in 'ifup-post'. The fix should be similar: /etc/rc.d/init.d/ntpd should be edited so that the 'start' option receives code analogous to the DNS-firewall code in 'ifup-post'. The code should read /etc/ntp.conf for 'server' lines and open up the firewall on udp 123 to those servers. The 'stop' option should reverse these firewall changes.
I do not want to modify the firewall s.o. set up... either one configures the firewall to allow ntp or not...