[ntp:questions] Re: ntp server behind ADSL alcatel speedtouch 510 firewall not responding.

Ronan Flood ronan at noc.ulcc.ac.uk
Tue Dec 21 17:09:36 UTC 2004

Remko Bolt <marem at concepts.nl> wrote:

> > try ntpdate -q ntp.cluebox.org.
> I dialed out with pots and used the -d flag, it didn't work. Just
> temporarily configured the alcatel to use the "default server" option
> which forwards ALL to the server, then it works.
> Two possibillities:
> 1 - The alcatel firewall is misbehaving.
> 2 - ntp is trying to open exrta ports.
> I understand that:
> An NTP client-to-server query has source port above 1023, destination
> port 123 means, the client sends it out it's own port for example 1024 and
> it listening for a reply there, but sends it to port 123 of the server.
> An NTP server-to-client response - source port 123, destination port above
> 1023 means, the server sends it out port 123 to port 1024 of the client.
> So that leaves the alcatel to be at fault.

Perhaps.  The source port an NTP client uses can vary depending on
the circumstances.  In the example above, "ntpdate -q" will indeed
use a high port but "ntpdate -d" will use port 123 as the source
port -- or at least it will try to, and fail if it can't get it.
You could try "ntpdate -du" which should use a high (unprivileged)
source port.

The diagnostic clients ntpq and ntpdc will use high source ports,
ntpd itself will use port 123; other time-setting clients will use
whatever they're programmed to.

                      Ronan Flood <R.Flood at noc.ulcc.ac.uk>
                        working for but not speaking for
             Network Services, University of London Computer Centre
     (which means: don't bother ULCC if I've said something you don't like)

More information about the questions mailing list