[ntp:questions] ntp ports

Terje Mathisen terje.mathisen at hda.hydro.com
Mon Nov 10 07:10:01 UTC 2008

Richard B. Gilbert wrote:
> Melanie Pfefer wrote:
>> Hi
>> What ports need to be opened if my ntp servers are inside a firewall?
>> thank you
> Port 123.  But only if you need to query outside servers or serve time 
> to systems outside the firewall.  If you purchase and install a hardware 
> reference clock, such as a GPS timing receiver, you can dispense with 
> access to servers outside the firewall.  This is an option reserved for 
> the utterly paranoid!  Normally you would use one or more outside 
> servers as a backup and sanity check.

I have three inhouse GPS receivers, in three separate cities. Each city 
has two FreeBSD-based ntp servers, one of which is currently connected 
to the local GPS, but the other is pre-configured so that in case of a 
primary server crash, the serial cable can be moved over.

All six servers are also configured to use each other as a reference, 
but since any ntp server will disregard other servers at the same 
stratum level, the effect is that the primaries use their GPS clock and 
the secondaries use the 3 primary servers.

All of them will also use 3 external servers as backup, just in case. :-)
(No other systems are allowed to use port 123 through the firewalls, 
while the primary servers have no other open ports at all, except for 
SSH from one of two corporate admin machines.)

All other servers use all six of these S1/S2 primary servers as references.

- <Terje.Mathisen at hda.hydro.com>
"almost all programming can be viewed as an exercise in caching"

More information about the questions mailing list