Red Hat Bugzilla – Bug 69192
ntpd/ntpdate don't work behind a firewall
Last modified: 2005-10-31 17:00:50 EST
ntpd/ntpdate uses port 123 (NTP) to receive
data. It doesn't work with firewals which block
incoming data to port 123. I don't believe port
123 has to be used to recieve NTP data. It is
a regression from RedHat 7.1.
Also, ntpd/ntpdate should use the same port selection mechanism - currently ntp
init script calls ntpdate with -u option and then ntpd used port 123 which
requires (potentially) two different "holes" in the fw...
My plan is
1. Change ntpdate not to use port 123 by default.
2. Change ntpd not to use port 123 to recieve NTP data by default.
#1 should be easy. But #2 may be trickier.
How would #2 interact with broadcast/multicast?
Ok, don't do #2 if we are a broadcast/multicast client.
ntpdate has the -u option for unpriviledged ports
for #2 you should work with the ntp development team...
NTPD runs quite well behind a firewall, if it is configured properly.
What are you going to do about those of us running public NTP servers who only
allow access to queries from source port 123?
Changing a protocol that has been in existence for twenty years and works very
well behind firewalls, is not a good idea, in my opinion. And all because
people are running a firewall, but refuse to configure it to allow ntp
replies. There is no security risk in allowing ntp access via port 123.
I sent a patch to ntp. I will append it here.
Created attachment 70944 [details]
A patch to avoid priviledged port
The ntp development group has rejected this patch as submitted.
The ntp people don't take this as a serious problem and
show little interests in it. On the other hand, I don't
know much about ntp. I will upload a new patch in case
other people are interested.
Created attachment 71204 [details]