[ntp:questions] Firewall requirements for NTP as both client and server

David Taylor david-taylor at blueyonder.co.uk.invalid
Mon Dec 29 08:05:29 UTC 2014


On 29/12/2014 03:29, Phil W Lee wrote:
[]
> What worked for me was (rule numbers are irrelevant, although the
> order of the rules is important - you need to make sure that ntp
> traffic doesn't get caught and dumped by an earlier rule, but also
> that any rule which passes ntp traffic through NAT comes after any
> "check-state" rule allowing NAT to work on udp traffic if you use it):
> nnnnn  allow udp from any to any dst-port 123
>
> if you are using the firewall as an ntp server as well:
> nnnnn  allow udp from any to me dst port 123
> nnnnn  allow udp from me to any dst-port 123
>
> And (if you are using NAT on the firewall)
>
> nnnnn  allow ip from $insidesubnet to any dst-port 123 keep-state
>
> Testing showed that "any" did not appear to include "me"
[]

> I hope your firewall is running a fairly minimal installation of
> FreeBSD, for security reasons.  This can make it a PITA to keep
> software versions up-to-date, but it's the price you pay for security.
>
> HTH,
>
> Phil

Thanks for that, Phil.  I tried your suggestions, and even Paul's of how 
to disable the firewall, but none of then made any difference.

Looking at the NTPns through its Telnet interface although it shows one 
source as "SELECTED", it's some 24 seconds out, so I don't think the 
NTPns server is working as I expected with just network sources  There 
are three sources listed here

Source 192.168.0.1: votes 1.000000 flags <UTC> los 1/192 update 64 SELECTED
         limit 1.280000e-01              No leapsecond at end of today
         stratum 1                       refid [192.168.0.1]
         delay 0.000000000               dispersion 0.001205444
         last_ts 1419839553.481725031    last_delta -24.054684001

Source 192.168.0.3: votes 1.000000 flags <UTC> los 1/192 update 64
         limit 1.280000e-01              No leapsecond at end of today
         stratum 1                       refid [192.168.0.3]
         delay 0.000000000               dispersion 0.001037598
         last_ts 1419839553.501792659    last_delta -24.054779510

Source 192.168.0.8: votes 1.000000 flags <UTC> los 1/192 update 64
         limit 1.280000e-01              No leapsecond at end of today
         stratum 1                       refid [192.168.0.8]
         delay 0.000000000               dispersion 0.001144409
         last_ts 1419839553.517881545    last_delta -24.055015980


-- 
Cheers,
David
Web: http://www.satsignal.eu



More information about the questions mailing list