From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.16-3 i686)

Description of problem:
The ipchains firewall that was set up by lokkit during the RH7.1
installation on my home machine blocks NTP (udp port 123) connections from
the ntp servers specified in /etc/ntp.conf.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Use lokkit to set up a "medium" firewall.  Verify in
/etc/sysconfig/ipchains that the rules REJECT udp connections to ports
0:1023
2. If ntpd is running, stop it for the purposes of this test
('/etc/rc.d/init.d/ntpd stop').
3. Attempt to synchronize system time to a remote NTP server using
'ntpdate' (e.g. 'ntpdate ntp-0.uchicago.edu')
	

Actual Results:  [root@tortellino sysconfig]# ntpdate ntp-0.uchicago.edu
29 Oct 11:35:46 ntpdate[19102]: no server suitable for synchronization
found


Expected Results:  [root@tortellino sysconfig]# ntpdate ntp-0.uchicago.edu
29 Oct 11:37:27 ntpdate[19249]: adjust time server 128.135.4.2 offset
0.010747 sec

Additional info:

It is easier and more immediate to do the test using 'ntpdate', but ntpd
also misbehaves, as may be seen by starting it on the command line with
'ntpd -d'.  In any event the effect is obvious.  If the firewall blocks udp
0:1023 (as lokkit-produced firewalls do by default), clearly the ntp
server's packets cannot get through to the client.

This situation is similar to the one that makes it necessary to punch the
DNS servers through the firewall in 'ifup-post'.  The fix should be
similar:  /etc/rc.d/init.d/ntpd should be edited so that the 'start' option
receives code analogous to the DNS-firewall code in 'ifup-post'.  The code
should read /etc/ntp.conf for 'server' lines and open up the firewall on
udp 123 to those servers.  The 'stop' option should reverse these firewall
changes.