jimmy1829
asked on
NTP port needed to open on firewall
Hi Experts,
We have to allow our internal servers to sync with Internet NTP server, which inbound/outbound ports should I open on our firewall in this case?
I have tried outbound udp 123 and inbound all ports with no luck.
Thanks,
Jimmy
We have to allow our internal servers to sync with Internet NTP server, which inbound/outbound ports should I open on our firewall in this case?
I have tried outbound udp 123 and inbound all ports with no luck.
Thanks,
Jimmy
Depending on your firewall you should not need to open any. The server will go out to the net to do request. But if you do need to open outbound udp 123
Typically, I find I need outbound TCP/123 (with replies allowed) and UDP/123 (in both directions) for this to work.
ASKER
thanks guys,
We do not want all ports to open for inbound traffic. What should I do?
We do not want all ports to open for inbound traffic. What should I do?
ASKER
I tried outbound tcp and udp 123 with no luck.
Any other outbound port I need to open?
Any other outbound port I need to open?
Please read this:
http://www.cs.ait.ac.th/~on/O/oreilly/tcpip/firewall/ch08_13.htm
In short, ntp client sends UDP request from random port >1023 to port 123 on ntp server.
It waits response on the same originating port. Your firewall should be able to keep
open originating port for UDP traffic from ntp server.
http://www.cs.ait.ac.th/~on/O/oreilly/tcpip/firewall/ch08_13.htm
In short, ntp client sends UDP request from random port >1023 to port 123 on ntp server.
It waits response on the same originating port. Your firewall should be able to keep
open originating port for UDP traffic from ntp server.
ASKER
thanks,
So that means all non-standard ports need to be open for outbound traffic?
So that means all non-standard ports need to be open for outbound traffic?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You don't have to open all non-standart ports. In terms of pf firewall (OpenBSD or FreeBSD)
pass out inet proto udp from me to any port 123 keep state
Keeping state for udp means that firewall will open inbound udp port from which outbound
udp request come and will close this port after response is received.
I think that all hardware firewalls also have similar features.
pass out inet proto udp from me to any port 123 keep state
Keeping state for udp means that firewall will open inbound udp port from which outbound
udp request come and will close this port after response is received.
I think that all hardware firewalls also have similar features.