Bug 69192 - ntpd/ntpdate don't work behind a firewall
Summary: ntpd/ntpdate don't work behind a firewall
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: ntp
Version: 7.3
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-07-18 19:19 UTC by hjl
Modified: 2005-10-31 22:00 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2002-08-15 10:55:40 UTC
Embargoed:


Attachments (Terms of Use)
A patch to avoid priviledged port (2.19 KB, patch)
2002-08-15 21:22 UTC, hjl
no flags Details | Diff
Another patch (3.74 KB, patch)
2002-08-16 17:14 UTC, hjl
no flags Details | Diff

Description hjl 2002-07-18 19:19:09 UTC
ntpd/ntpdate uses port 123 (NTP) to receive
data. It doesn't work with firewals which block
incoming data to port 123. I don't believe port
123 has to be used to recieve NTP data. It is
a regression from RedHat 7.1.

Comment 1 Aleksey Nogin 2002-07-18 19:26:20 UTC
Also, ntpd/ntpdate should use the same port selection mechanism - currently ntp
init script calls ntpdate with -u option and then ntpd used port 123 which
requires (potentially) two different "holes" in the fw...

Comment 2 hjl 2002-07-18 19:30:59 UTC
My plan is

1. Change ntpdate not to use port 123 by default.
2. Change ntpd not to use port 123 to recieve NTP data by default.

#1 should be easy. But #2 may be trickier.

Comment 3 Aleksey Nogin 2002-07-18 19:33:33 UTC
How would #2 interact with broadcast/multicast?

Comment 4 hjl 2002-07-18 19:38:29 UTC
Ok, don't do #2 if we are a broadcast/multicast client.

Comment 5 Harald Hoyer 2002-08-15 10:55:36 UTC
ntpdate has the -u option for unpriviledged ports

Comment 6 Harald Hoyer 2002-08-15 11:02:55 UTC
for #2 you should work with the ntp development team...

Comment 7 Dean K. Gibson 2002-08-15 19:37:17 UTC
NTPD runs quite well behind a firewall, if it is configured properly.

What are you going to do about those of us running public NTP servers who only 
allow access to queries from source port 123?

Changing a protocol that has been in existence for twenty years and works very 
well behind firewalls, is not a good idea, in my opinion.  And all because 
people are running a firewall, but refuse to configure it to allow ntp 
replies.  There is no security risk in allowing ntp access via port 123.


Comment 8 hjl 2002-08-15 21:21:35 UTC
I sent a patch to ntp. I will append it here.

Comment 9 hjl 2002-08-15 21:22:38 UTC
Created attachment 70944 [details]
A patch to avoid priviledged port

Comment 10 Dean K. Gibson 2002-08-16 02:47:05 UTC
The ntp development group has rejected this patch as submitted.

Comment 11 hjl 2002-08-16 17:13:15 UTC
The ntp people don't take this as a serious problem and
show little interests in it. On the other hand, I don't
know much about ntp. I will upload a new patch in case
other people are interested.


Comment 12 hjl 2002-08-16 17:14:25 UTC
Created attachment 71204 [details]
Another patch


Note You need to log in before you can comment on or make changes to this bug.