Bug 69192 - ntpd/ntpdate don't work behind a firewall
ntpd/ntpdate don't work behind a firewall
Product: Red Hat Linux
Classification: Retired
Component: ntp (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Harald Hoyer
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2002-07-18 15:19 EDT by hjl
Modified: 2005-10-31 17:00 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-08-15 06:55:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
A patch to avoid priviledged port (2.19 KB, patch)
2002-08-15 17:22 EDT, hjl
no flags Details | Diff
Another patch (3.74 KB, patch)
2002-08-16 13:14 EDT, hjl
no flags Details | Diff

  None (edit)
Description hjl 2002-07-18 15:19:09 EDT
ntpd/ntpdate uses port 123 (NTP) to receive
data. It doesn't work with firewals which block
incoming data to port 123. I don't believe port
123 has to be used to recieve NTP data. It is
a regression from RedHat 7.1.
Comment 1 Aleksey Nogin 2002-07-18 15:26:20 EDT
Also, ntpd/ntpdate should use the same port selection mechanism - currently ntp
init script calls ntpdate with -u option and then ntpd used port 123 which
requires (potentially) two different "holes" in the fw...
Comment 2 hjl 2002-07-18 15:30:59 EDT
My plan is

1. Change ntpdate not to use port 123 by default.
2. Change ntpd not to use port 123 to recieve NTP data by default.

#1 should be easy. But #2 may be trickier.
Comment 3 Aleksey Nogin 2002-07-18 15:33:33 EDT
How would #2 interact with broadcast/multicast?
Comment 4 hjl 2002-07-18 15:38:29 EDT
Ok, don't do #2 if we are a broadcast/multicast client.
Comment 5 Harald Hoyer 2002-08-15 06:55:36 EDT
ntpdate has the -u option for unpriviledged ports
Comment 6 Harald Hoyer 2002-08-15 07:02:55 EDT
for #2 you should work with the ntp development team...
Comment 7 Dean K. Gibson 2002-08-15 15:37:17 EDT
NTPD runs quite well behind a firewall, if it is configured properly.

What are you going to do about those of us running public NTP servers who only 
allow access to queries from source port 123?

Changing a protocol that has been in existence for twenty years and works very 
well behind firewalls, is not a good idea, in my opinion.  And all because 
people are running a firewall, but refuse to configure it to allow ntp 
replies.  There is no security risk in allowing ntp access via port 123.
Comment 8 hjl 2002-08-15 17:21:35 EDT
I sent a patch to ntp. I will append it here.
Comment 9 hjl 2002-08-15 17:22:38 EDT
Created attachment 70944 [details]
A patch to avoid priviledged port
Comment 10 Dean K. Gibson 2002-08-15 22:47:05 EDT
The ntp development group has rejected this patch as submitted.
Comment 11 hjl 2002-08-16 13:13:15 EDT
The ntp people don't take this as a serious problem and
show little interests in it. On the other hand, I don't
know much about ntp. I will upload a new patch in case
other people are interested.
Comment 12 hjl 2002-08-16 13:14:25 EDT
Created attachment 71204 [details]
Another patch

Note You need to log in before you can comment on or make changes to this bug.