Do I need to open any port for NTP synchronization to work if both outgoing and incoming are blocked on ufw?

Question

One of my production servers, UFW configuration is as follows:

Status: active
Logging: on (low)
Default: deny (incoming), **deny (outgoing)**, disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (uv6)
80/tcp                     ALLOW IN    Anywhere
80/tcp (v6)                ALLOW IN    Anywhere (v6)

I've enabled NTP synchronisation by installing ntp service and it's currently running. When I run ntpq -p, I get following output:

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+209.114.111.1   132.163.4.103    2 u  52m 1024  374   44.591    3.390   0.983
+208.75.89.4     216.218.192.202  2 u  51m 1024  374   67.622    2.429   2.171
*204.9.54.119    .CDMA.           1 u  40m 1024  374   24.324    2.344   2.116
-72.14.183.239   200.98.196.212   2 u  41m 1024  374   41.822    4.611   2.649
-91.189.94.4     193.79.237.14    2 u  43m 1024  374   74.764   -0.407   3.417

From the above output, apparently it looks like ntp is already working properly without opening any additional port on ufw-firewall. Is this understanding correct OR do I need to open any port for NTP synchronization to work?

Thanks

Answer 1

Your 'when' column is telling me that ntp last chatted with those servers at best 40 minutes ago, yet your poll interval is 1024 seconds (~17 minutes). ntp does not seem to be running properly, which makes sense given your firewall configuration.

You'll need an outbound and an inbound allow rule for UDP 123. The inbound is needed since UDP is stateless. It's like receiving mail from someone you don't know.