Bug 69192 – ntpd/ntpdate don't work behind a firewall

Bug 69192 - ntpd/ntpdate don't work behind a firewall

Summary:	ntpd/ntpdate don't work behind a firewall

Status:	CLOSED WONTFIX

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	ntp (Show other bugs)
Sub Component:
Version:	7.3
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Harald Hoyer
QA Contact:	Brian Brock
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2002-07-18 15:19 EDT by hjl
Modified:	2005-10-31 17:00 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2002-08-15 06:55:40 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
A patch to avoid priviledged port (2.19 KB, patch) 2002-08-15 17:22 EDT, hjl	no flags	Details \| Diff
Another patch (3.74 KB, patch) 2002-08-16 13:14 EDT, hjl	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description hjl 2002-07-18 15:19:09 EDT

ntpd/ntpdate uses port 123 (NTP) to receive
data. It doesn't work with firewals which block
incoming data to port 123. I don't believe port
123 has to be used to recieve NTP data. It is
a regression from RedHat 7.1.

Comment 1 Aleksey Nogin 2002-07-18 15:26:20 EDT

Also, ntpd/ntpdate should use the same port selection mechanism - currently ntp
init script calls ntpdate with -u option and then ntpd used port 123 which
requires (potentially) two different "holes" in the fw...

Comment 2 hjl 2002-07-18 15:30:59 EDT

My plan is

1. Change ntpdate not to use port 123 by default.
2. Change ntpd not to use port 123 to recieve NTP data by default.

#1 should be easy. But #2 may be trickier.

Comment 3 Aleksey Nogin 2002-07-18 15:33:33 EDT

How would #2 interact with broadcast/multicast?

Comment 4 hjl 2002-07-18 15:38:29 EDT

Ok, don't do #2 if we are a broadcast/multicast client.

Comment 5 Harald Hoyer 2002-08-15 06:55:36 EDT

ntpdate has the -u option for unpriviledged ports

Comment 6 Harald Hoyer 2002-08-15 07:02:55 EDT

for #2 you should work with the ntp development team...

Comment 7 Dean K. Gibson 2002-08-15 15:37:17 EDT

NTPD runs quite well behind a firewall, if it is configured properly.

What are you going to do about those of us running public NTP servers who only 
allow access to queries from source port 123?

Changing a protocol that has been in existence for twenty years and works very 
well behind firewalls, is not a good idea, in my opinion.  And all because 
people are running a firewall, but refuse to configure it to allow ntp 
replies.  There is no security risk in allowing ntp access via port 123.

Comment 8 hjl 2002-08-15 17:21:35 EDT

I sent a patch to ntp. I will append it here.

Comment 9 hjl 2002-08-15 17:22:38 EDT

Created attachment 70944 [details]
A patch to avoid priviledged port

Comment 10 Dean K. Gibson 2002-08-15 22:47:05 EDT

The ntp development group has rejected this patch as submitted.

Comment 11 hjl 2002-08-16 13:13:15 EDT

The ntp people don't take this as a serious problem and
show little interests in it. On the other hand, I don't
know much about ntp. I will upload a new patch in case
other people are interested.

Comment 12 hjl 2002-08-16 13:14:25 EDT

Created attachment 71204 [details]
Another patch

Note You need to log in before you can comment on or make changes to this bug.