Why does NTP require bi-directional firewall access to UDP port 123?

17

4

From What are the iptables rules to permit ntp?:

iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

Also, from the NTP website:

... ntpd requires full bidirectional access to the privileged UDP port 123. ...

My question is, why? To someone not familiar with NTP, this seems like a potential security hole, especially when I'm asking a client of mine to open up that port in their firewall so that my servers can keep their time synchronised. Does anyone have a decent justification I can give to my client to convince them that I need this access in the firewall? Help is appreciated! :)

Dawngerpony

Posted 2014-06-02T09:32:18.443

Reputation: 363

ntpd works as an NTP client through NAT just fine. I'm not sure why the web site says that. All sorts of ntp clients exist, Windows, Linux, etc... that do not require an incoming port opened. If you want to receive connections from servers, you will need a port open for them just like any other service. So no problem. Have you tested it yet? – Ryan Babchishin – 2015-10-13T04:43:55.543

@DuffJ That sort of reasoning is how you end up tunnelling everything over HTTP... and then inventing HTTP firewalls... and then tunnelling everything in fake Facebook traffic to get past the HTTP firewalls... and then... – user253751 – 2016-09-27T03:59:54.413

2Have you read the part about "allow related/established"? If this rule's present there's no need for a general input rule for UDP port 123. – VMai – 2014-06-02T13:16:57.413

1Is this really a potential security hole? This is anoften repeated phrase that I think is meaningless. It is 2014, time to not imbue ports less than 1024 with special properties and block all traffic that is not explicitly required. You are opening up one port to one machine from certain hosts on the internet. – dfc – 2014-06-02T21:40:44.993

I agree, it's not really a potential security hole, but I work in the financial industry and people are always nervous about opening up firewalls in case "something gets through". It's always worth having a good justification on hand, plus I'm curious about the answer myself - does ntpd on a time server actually make outgoing connections to its clients to send time updates? That sounds weird and not particularly scalable. – Dawngerpony – 2014-06-03T10:39:09.147

I googled this one a few days ago, it can manage without an incoming connection made. – barlop – 2014-06-06T18:41:02.260

@VMai the person that said that on http://superuser.com/questions/141772/what-are-the-iptables-rules-to-permit-ntp gave no example, but I think he meant to enable outgoing connections, packets coming in within them. That is different to the concept that "ntpd requires full bidirectional access to the privileged UDP port 123. ..." which sounds like an incoming connection. If he wanted to allow incoming and outgoing using related/established then he'd need 4 rules. 2 for incoming connections, 2 for outgoing connections.

– barlop – 2014-06-06T18:48:06.113

@barlop I have tried with only outgoing connections available, unfortunately ntpd was unable to manage until incoming connections were allowed. Another solution, such as ntpdate on a cron job, would work with only outgoing connections enabled but is not optimal; my question is related to getting ntpd to run. It would be good to know where you found the information when you "googled this one". Link? – Dawngerpony – 2014-06-09T09:07:46.613

Answers

10

You only need allow incoming traffic NTP's ports if you are acting as a server, allowing clients to sync to you.

Otherwise, the existance of an NTP state will automatically determine whether the incoming NTP packet is blocked or allowed by an existing firewall state that we initiated.

iptables -A OUTPUT -p udp --sport 123 --dport 123 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Please let me know if the iptables rules are proper. I have no experience with iptables. My NTP client stays synchronized on my pfSense router with only an outgoing allow rule because pfSense is a stateful firewall.

Ben Cook

Posted 2014-06-02T09:32:18.443

Reputation: 166

1This does seem sensible! Unfortunately I am no longer in a position to confirm the correctness of your answer; however, I will accept it because it does seem logical. Many thanks! – Dawngerpony – 2015-11-16T12:04:08.837

1

NTP requires bi-directional access on port 123 because the NTP RFC specifies the following regarding the source port of the client:

When operating in symmetric modes (1 and 2), this field must contain the NTP port number PORT (123) assigned by the IANA.

Since the client's source port is 123, when the server sends the response back it'll send it to port 123. Naturally, in order to be able to receive that response the client must allow incoming responses on port 123. Normally responses would come back on some ephemeral port range.

As Ben Cook mentioned above, this is only required when dealing with a stateless firewall as a stateful firewall would allow the response to come back without an explicit rule.

Gurpreet Atwal

Posted 2014-06-02T09:32:18.443

Reputation: 11

0

I think that the best solution is to enable port 123 for input, only for the ip addresses expected to give your server the ntp signal.
Inside the ntp config file, /etc/ntp.conf, there are the addresses of several ntp servers your server should point on. You may use the lookup command to find the corresponding ip for each address.

host -t a 0.debian.pool.ntp.org

Then you can add the rule to the server firewall:

iptables -I INPUT -p udp -s 94.177.187.22 -j ACCEPT

...and so on.
This may prevent any malicious person to damage your server.
I think it is no use restricting the output.

Leonardo Gugliotti

Posted 2014-06-02T09:32:18.443

Reputation: 1

-1

ntp server to server communication is source and destination port 123. It is most convenient to explicitly allow that at least to the hosts on which you are running a ntp service.

You might consider only exposing an external host to the Internet to get time from outside sources. An internal ntp service syncing to this can be the source for all devices. If these hosts are dedicated to the purpose the possible exposure is limited: they only accept ntp traffic and do not store other data.

Alternately, do not use an external IP network at all. Use a radio source like GPS for time, for example.

http://www.diablotin.com/librairie/networking/firewall/ch08_13.htm http://support.ntp.org/bin/view/Support/TroubleshootingNTP

John Mahowald

Posted 2014-06-02T09:32:18.443

Reputation: 159

1Thanks for this answer, but it doesn't answer the question. What if I am the system administrator and want to open up my firewall so that I can set up the internal NTP service? Nobody still seems to have any idea why bi-directional access (which is much more dangerous than uni-directional access) is required for NTP. – Dawngerpony – 2015-07-24T09:40:31.610

Asked: 2014-06-02T09:32:18.443

Viewed: 43 208 times

Active: 2019-05-06T06:01:34.817