On Debian Jessie servers I see systemd-timesyncd listening on random UDP ports. Which is not the case on Debian Stretch hosts. By random I mean the port it listens to varies from server to server. Does it need to listen to a UDP port to work properly? I want to block ports that are not needed. Does this mean I've got to leave all UDP ports open?
Asked
Active
Viewed 1,318 times
1
x-yuri
- 1,845
- 1
- 22
- 27
-
Exactly what are you seeing? – Michael Hampton Mar 14 '18 at 19:57
-
@MichaelHampton probably something like `udp 0 0 0.0.0.0:51826 0.0.0.0:* 17697/systemd-timesyncd` where the port is a random ephemeral port. – Zoredache Mar 14 '18 at 20:10
-
@MichaelHampton For example, on one server `ss -unlp` gives `UNCONN 0 0 *:36956 *:* users:(("systemd-timesyn",pid=525,fd=12))`. – x-yuri Mar 14 '18 at 20:16
-
I encountered the same thing on Ubuntu 20. I do not have a stateful firewall so the answer below is not applicable for my case. My question for this: https://serverfault.com/questions/1064319/systemd-timesyncd-requires-incoming-ephemeral-ports-opened – Martin Melka May 24 '21 at 09:50
1 Answers
2
The systemd-timesyncd mostly is a ntp/sntp client. IE it will make outbound requests, and get replies. If you are running a statefull firewall then you would need to permit outgoing UDP traffic, and ESTABLISHED/RELATED incoming traffic. You shouldn't need to permit incoming traffic to the port the timesyncd is listening on.
Zoredache
- 128,755
- 40
- 271
- 413