Bug 55322 - NTP connections blocked by firewall
Summary: NTP connections blocked by firewall
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: ntp
Version: 7.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-10-29 17:50 UTC by Carlo Graziani
Modified: 2007-04-18 16:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2001-11-20 09:34:31 UTC
Embargoed:


Attachments (Terms of Use)

Description Carlo Graziani 2001-10-29 17:50:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.2.16-3 i686)

Description of problem:
The ipchains firewall that was set up by lokkit during the RH7.1
installation on my home machine blocks NTP (udp port 123) connections from
the ntp servers specified in /etc/ntp.conf.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Use lokkit to set up a "medium" firewall.  Verify in
/etc/sysconfig/ipchains that the rules REJECT udp connections to ports
0:1023
2. If ntpd is running, stop it for the purposes of this test
('/etc/rc.d/init.d/ntpd stop').
3. Attempt to synchronize system time to a remote NTP server using
'ntpdate' (e.g. 'ntpdate ntp-0.uchicago.edu')
	

Actual Results:  [root@tortellino sysconfig]# ntpdate ntp-0.uchicago.edu
29 Oct 11:35:46 ntpdate[19102]: no server suitable for synchronization
found


Expected Results:  [root@tortellino sysconfig]# ntpdate ntp-0.uchicago.edu
29 Oct 11:37:27 ntpdate[19249]: adjust time server 128.135.4.2 offset
0.010747 sec

Additional info:

It is easier and more immediate to do the test using 'ntpdate', but ntpd
also misbehaves, as may be seen by starting it on the command line with
'ntpd -d'.  In any event the effect is obvious.  If the firewall blocks udp
0:1023 (as lokkit-produced firewalls do by default), clearly the ntp
server's packets cannot get through to the client.

This situation is similar to the one that makes it necessary to punch the
DNS servers through the firewall in 'ifup-post'.  The fix should be
similar:  /etc/rc.d/init.d/ntpd should be edited so that the 'start' option
receives code analogous to the DNS-firewall code in 'ifup-post'.  The code
should read /etc/ntp.conf for 'server' lines and open up the firewall on
udp 123 to those servers.  The 'stop' option should reverse these firewall
changes.

Comment 1 Harald Hoyer 2001-12-14 13:30:00 UTC
I do not want to modify the firewall s.o. set up... either one configures the 
firewall to allow ntp or not...



Note You need to log in before you can comment on or make changes to this bug.