[ntp:questions] Firewall requirements for NTP as both client and server

Mike Cook michael.cook at sfr.fr
Sun Dec 28 17:07:39 UTC 2014




> Le 28 déc. 2014 à 17:11, David Taylor <david-taylor at blueyonder.co.uk.invalid> a écrit :
> 
> I'm trying to understand the firewall requirements for NTP.  Using the FreeBSD ipfw I have the following, which appears to allow NTPns to operate as a client, i.e. it can get times from other servers on my LAN, and even from the WAN.
> 
>  add 100 allow udp from any to any 123
>  add 200 allow udp from any 123 to any
> 
 Check " with ipfw -S show "that you are getting the result you want:

> However, other servers on the same LAN appear not to be able to see this NTPns server, always being in an INIT state.  I wonder whether this might be a firewall issue, or whether the settings above should suffice both for NTPns as a client, and as a server.  My reading is that they should, but I'm very unfamiliar with ipfw (and that's what I have to use).
> 
  
I use the following for my 4801 on 192.168.1.3 (show result), allowing all NTP requests IN
00960     5560    1149140 set 8 allow udp from any to 192.168.1.3 dst-port 123 via sis0 keep-state
and letting any server initiated request out. I don’t restrict outgoing packets as I am the only user.
05100  9721814 1149904224 set 0 allow ip from 192.168.1.3 to any keep-state

when I get odd things like this happening I select logging and see what is / is not getting through.
ex.
00705   717773  274869433 set 2 allow log ip from not 192.168.0.0/16 to 192.168.1.3 dst-port 80 via sis0 keep-state
to log all incoming http from the internet.

It could be that your other servers have firewalls restricting some address traffic . 

you can use tcpdump to see what is on your LAN

$ sudo tcpdump -p udp port 123
Password:
Hold it up to the light --- not a brain in sight!
Password:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on sis0, link-type EN10MB (Ethernet), capture size 96 bytes
18:06:01.575375 IP gluon.stratum1.d2g.com.ntp > ntp-p1.obspm.fr.ntp: NTPv4, Client, length 48
18:06:02.575056 IP gluon.stratum1.d2g.com.ntp > ns1.nexellent.net.ntp: NTPv4, Client, length 48
18:06:02.597744 IP ns1.nexellent.net.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48
18:06:03.575860 IP gluon.stratum1.d2g.com.ntp > ch-ntp01.swiss-networks.net.ntp: NTPv4, Client, length 48
18:06:03.601883 IP ch-ntp01.swiss-networks.net.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48
18:06:05.575561 IP gluon.stratum1.d2g.com.ntp > laurelineA.stratum1.d2g.com.ntp: NTPv4, Client, length 48
18:06:05.575815 IP laurelineA.stratum1.d2g.com.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48
18:06:14.575661 IP gluon.stratum1.d2g.com.ntp > muon.stratum1.d2g.com.ntp: NTPv4, Client, length 48
18:06:14.576758 IP muon.stratum1.d2g.com.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48
18:06:15.575563 IP gluon.stratum1.d2g.com.ntp > raspb1.home.ntp: NTPv4, Client, length 48
18:06:15.576416 IP raspb1.home.ntp > gluon.stratum1.d2g.com.ntp: NTPv4, Server, length 48

have fun

> Thanks!
> 
> -- 
> Cheers,
> David
> Web: http://www.satsignal.eu
> 
> _______________________________________________
> questions mailing list
> questions at lists.ntp.org
> http://lists.ntp.org/listinfo/questions


More information about the questions mailing list