?
Solved

NTP port needed to open on firewall

Posted on 2011-04-20
8
Medium Priority
?
9,268 Views
Last Modified: 2012-05-11
Hi Experts,

We have to allow our internal servers to sync with Internet NTP server, which inbound/outbound ports should I open on our firewall in this case?

I have tried outbound udp 123 and inbound all ports with no luck.

Thanks,

Jimmy
0
Comment
Question by:jimmy1829
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 3

Expert Comment

by:perfectpc
ID: 35435569
Depending on your firewall you should not need to open any. The server will go out to the net to do request. But if you do need to open outbound udp 123
0
 
LVL 16

Expert Comment

by:jimbobmcgee
ID: 35435585
Typically, I find I need outbound TCP/123 (with replies allowed) and UDP/123 (in both directions) for this to work.
0
 

Author Comment

by:jimmy1829
ID: 35435644
thanks guys,

We do not want all ports to open for inbound traffic. What should I do?
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:jimmy1829
ID: 35435752
I tried outbound tcp and udp 123 with no luck.

Any other outbound port I need to open?
0
 
LVL 16

Expert Comment

by:medvedd
ID: 35436025
Please read this:

http://www.cs.ait.ac.th/~on/O/oreilly/tcpip/firewall/ch08_13.htm

In short, ntp client sends UDP request from random port >1023 to port 123 on ntp server.
It waits response on the same originating port. Your firewall should be able to keep
open originating port for UDP traffic from ntp server.
1
 

Author Comment

by:jimmy1829
ID: 35436141
thanks,

So that means all non-standard ports need to be open for outbound traffic?
0
 
LVL 16

Accepted Solution

by:
jimbobmcgee earned 2000 total points
ID: 35436830
What firewall are we talking about?  In Cisco speak, for example, typically:

    interface Ethernet0/0
        nameif outside
        security-level 0
    interface Ethernet0/1
        nameif inside
        security-level 100

will take care of it, as you can implicitly go from inside to outside, which sets up a reversible xlate.  If the security-levels were not taken into account, though, e.g. because of access-groups, it might look like:

object-group network INSIDE_LAN
    network-object 192.168.1.0 255.255.255.0
object-group network NTP_SERVERS
    network-object host 83.231.183.4
    network-object host 193.238.80.20
    network-object host 82.219.4.31
object-group service NTP_PORTS
    service-object udp eq 123

access-group AG_OUTSIDE_IN in interface outside
access-group AG_INSIDE_IN in interface inside

access-list AG_INSIDE_IN extended permit udp object-group INSIDE_LAN object-group NTP_SERVERS object-group NTP_PORTS
should do it, because the Cisco will still set up a one-off reverse-rule for the reply.

If your firewall is stateful, it should take care of this for you, from a LAN to WAN perpsective.  If you have disabled this, or your firewall is not stateful/application aware, you will need to open rules akin to (pseudo):

allow udp LAN:192.168.1.0/24:>1024 to WAN:83.231.183.4/32:123
allow udp WAN:82.231.183.4/32:123 to LAN:192.168.1.0/24:>1024
allow udp LAN:192.168.1.0/24:>1024 to WAN:193.238.80.20/32:123
allow udp WAN:193.238.80.20/32:123 to LAN:192.168.1.0/24:>1024
allow udp LAN:192.168.1.0/24:>1024 to WAN:82.219.4.31/32:123
allow udp WAN:82.219.4.31/32:123 to LAN:192.168.1.0/24:>1024
although I can't see a reliable way to get the reply traffic back to the requesting client, if you have no stateful system, unless you can do port triggering, akin to (pseudo):

if udp LAN:192.168.1.0/24:>1024 accesses WAN:83.231.183.4/32:123
  then allow udp WAN:83.231.183.4/32:123 to LAN:originator
  and route udp WAN:83.231.183.4/32:123 to LAN:originator
In any case, make sure that your source and destination ports are the right way around...
0
 
LVL 16

Expert Comment

by:medvedd
ID: 35437328
You don't have to open all non-standart ports. In terms of pf firewall (OpenBSD or FreeBSD)

pass out inet proto udp from me to any port 123 keep state

Keeping state for udp means that firewall will open inbound udp port from which outbound
udp request come and will close this port after response is received.
I think that all hardware firewalls also have similar features.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question