Bug 55322 - NTP connections blocked by firewall
Summary: NTP connections blocked by firewall
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: ntp   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2001-10-29 17:50 UTC by Carlo Graziani
Modified: 2007-04-18 16:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-11-20 09:34:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Carlo Graziani 2001-10-29 17:50:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.16-3 i686)

Description of problem:
The ipchains firewall that was set up by lokkit during the RH7.1
installation on my home machine blocks NTP (udp port 123) connections from
the ntp servers specified in /etc/ntp.conf.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Use lokkit to set up a "medium" firewall.  Verify in
/etc/sysconfig/ipchains that the rules REJECT udp connections to ports
2. If ntpd is running, stop it for the purposes of this test
('/etc/rc.d/init.d/ntpd stop').
3. Attempt to synchronize system time to a remote NTP server using
'ntpdate' (e.g. 'ntpdate ntp-0.uchicago.edu')

Actual Results:  [root@tortellino sysconfig]# ntpdate ntp-0.uchicago.edu
29 Oct 11:35:46 ntpdate[19102]: no server suitable for synchronization

Expected Results:  [root@tortellino sysconfig]# ntpdate ntp-0.uchicago.edu
29 Oct 11:37:27 ntpdate[19249]: adjust time server offset
0.010747 sec

Additional info:

It is easier and more immediate to do the test using 'ntpdate', but ntpd
also misbehaves, as may be seen by starting it on the command line with
'ntpd -d'.  In any event the effect is obvious.  If the firewall blocks udp
0:1023 (as lokkit-produced firewalls do by default), clearly the ntp
server's packets cannot get through to the client.

This situation is similar to the one that makes it necessary to punch the
DNS servers through the firewall in 'ifup-post'.  The fix should be
similar:  /etc/rc.d/init.d/ntpd should be edited so that the 'start' option
receives code analogous to the DNS-firewall code in 'ifup-post'.  The code
should read /etc/ntp.conf for 'server' lines and open up the firewall on
udp 123 to those servers.  The 'stop' option should reverse these firewall

Comment 1 Harald Hoyer 2001-12-14 13:30:00 UTC
I do not want to modify the firewall s.o. set up... either one configures the 
firewall to allow ntp or not...

Note You need to log in before you can comment on or make changes to this bug.