69192 – ntpd/ntpdate don't work behind a firewall

Bug 69192 - ntpd/ntpdate don't work behind a firewall

Summary: ntpd/ntpdate don't work behind a firewall

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	ntp
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Harald Hoyer
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-07-18 19:19 UTC by hjl
Modified:	2005-10-31 22:00 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2002-08-15 10:55:40 UTC
Embargoed:

Attachments	(Terms of Use)
A patch to avoid priviledged port (2.19 KB, patch) 2002-08-15 21:22 UTC, hjl	no flags	Details \| Diff
Another patch (3.74 KB, patch) 2002-08-16 17:14 UTC, hjl	no flags	Details \| Diff
View All

Description hjl 2002-07-18 19:19:09 UTC

ntpd/ntpdate uses port 123 (NTP) to receive
data. It doesn't work with firewals which block
incoming data to port 123. I don't believe port
123 has to be used to recieve NTP data. It is
a regression from RedHat 7.1.

Comment 1 Aleksey Nogin 2002-07-18 19:26:20 UTC

Also, ntpd/ntpdate should use the same port selection mechanism - currently ntp
init script calls ntpdate with -u option and then ntpd used port 123 which
requires (potentially) two different "holes" in the fw...

Comment 2 hjl 2002-07-18 19:30:59 UTC

My plan is

1. Change ntpdate not to use port 123 by default.
2. Change ntpd not to use port 123 to recieve NTP data by default.

#1 should be easy. But #2 may be trickier.

Comment 3 Aleksey Nogin 2002-07-18 19:33:33 UTC

How would #2 interact with broadcast/multicast?

Comment 4 hjl 2002-07-18 19:38:29 UTC

Ok, don't do #2 if we are a broadcast/multicast client.

Comment 5 Harald Hoyer 2002-08-15 10:55:36 UTC

ntpdate has the -u option for unpriviledged ports

Comment 6 Harald Hoyer 2002-08-15 11:02:55 UTC

for #2 you should work with the ntp development team...

Comment 7 Dean K. Gibson 2002-08-15 19:37:17 UTC

NTPD runs quite well behind a firewall, if it is configured properly.

What are you going to do about those of us running public NTP servers who only 
allow access to queries from source port 123?

Changing a protocol that has been in existence for twenty years and works very 
well behind firewalls, is not a good idea, in my opinion.  And all because 
people are running a firewall, but refuse to configure it to allow ntp 
replies.  There is no security risk in allowing ntp access via port 123.

Comment 8 hjl 2002-08-15 21:21:35 UTC

I sent a patch to ntp. I will append it here.

Comment 9 hjl 2002-08-15 21:22:38 UTC

Created attachment 70944 [details]
A patch to avoid priviledged port

Comment 10 Dean K. Gibson 2002-08-16 02:47:05 UTC

The ntp development group has rejected this patch as submitted.

Comment 11 hjl 2002-08-16 17:13:15 UTC

The ntp people don't take this as a serious problem and
show little interests in it. On the other hand, I don't
know much about ntp. I will upload a new patch in case
other people are interested.

Comment 12 hjl 2002-08-16 17:14:25 UTC

Created attachment 71204 [details]
Another patch

Note You need to log in before you can comment on or make changes to this bug.