17
4
From What are the iptables rules to permit ntp?:
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
Also, from the NTP website:
... ntpd requires full bidirectional access to the privileged UDP port 123. ...
My question is, why? To someone not familiar with NTP, this seems like a potential security hole, especially when I'm asking a client of mine to open up that port in their firewall so that my servers can keep their time synchronised. Does anyone have a decent justification I can give to my client to convince them that I need this access in the firewall? Help is appreciated! :)
ntpd works as an NTP client through NAT just fine. I'm not sure why the web site says that. All sorts of ntp clients exist, Windows, Linux, etc... that do not require an incoming port opened. If you want to receive connections from servers, you will need a port open for them just like any other service. So no problem. Have you tested it yet? – Ryan Babchishin – 2015-10-13T04:43:55.543
@DuffJ That sort of reasoning is how you end up tunnelling everything over HTTP... and then inventing HTTP firewalls... and then tunnelling everything in fake Facebook traffic to get past the HTTP firewalls... and then... – user253751 – 2016-09-27T03:59:54.413
2Have you read the part about "allow related/established"? If this rule's present there's no need for a general input rule for UDP port 123. – VMai – 2014-06-02T13:16:57.413
1Is this really a potential security hole? This is anoften repeated phrase that I think is meaningless. It is 2014, time to not imbue ports less than 1024 with special properties and block all traffic that is not explicitly required. You are opening up one port to one machine from certain hosts on the internet. – dfc – 2014-06-02T21:40:44.993
I agree, it's not really a potential security hole, but I work in the financial industry and people are always nervous about opening up firewalls in case "something gets through". It's always worth having a good justification on hand, plus I'm curious about the answer myself - does ntpd on a time server actually make outgoing connections to its clients to send time updates? That sounds weird and not particularly scalable. – Dawngerpony – 2014-06-03T10:39:09.147
I googled this one a few days ago, it can manage without an incoming connection made. – barlop – 2014-06-06T18:41:02.260
@VMai the person that said that on http://superuser.com/questions/141772/what-are-the-iptables-rules-to-permit-ntp gave no example, but I think he meant to enable outgoing connections, packets coming in within them. That is different to the concept that "ntpd requires full bidirectional access to the privileged UDP port 123. ..." which sounds like an incoming connection. If he wanted to allow incoming and outgoing using related/established then he'd need 4 rules. 2 for incoming connections, 2 for outgoing connections.
– barlop – 2014-06-06T18:48:06.113@barlop I have tried with only outgoing connections available, unfortunately
ntpd
was unable to manage until incoming connections were allowed. Another solution, such asntpdate
on a cron job, would work with only outgoing connections enabled but is not optimal; my question is related to gettingntpd
to run. It would be good to know where you found the information when you "googled this one". Link? – Dawngerpony – 2014-06-09T09:07:46.613