[ntp:questions] ntpdate unexpected behaviour

Leandro Martelli martelli at epix.com.br
Thu Aug 3 14:27:47 UTC 2017


Hi,

I just came across a non-intuitive ntpdate case caused by my firewall
configuration.

My firewall outbound rules include something like:

- allow from udp 123 to udp 123
- allow from udp 10000-20000 to any

The first line ensures NTPd will work, which is fine.

The second line was spotted after ntpdate failing intermittently. The
reason was I got the '-q' option, which was causing ntpdate to choose
a non-privileged port (like '-u').

We can always change the firewall config, but shouldn't we be able to
run '-q' without implying the use of a non-privileged port?

I know changing this behaviour now would certainly break a lot of
setups and therefore I'd like to ask if it makes sense to have another
flag, say '-Q', which would query the server using udp/123 as the
source port. This would allow to have the same network behaviour as if
we were running without flags, but without adjusting the clock.

I'd eventually make the same consideration for '-d', as activating
'-d' or '-q' will change the network behaviour, which is normally not
expected.

Thank you.

Best regards,

Leandro Martelli


More information about the questions mailing list