NTP port needed to open on firewall

Posted on 2011-04-20
Medium Priority
Last Modified: 2012-05-11
Hi Experts,

We have to allow our internal servers to sync with Internet NTP server, which inbound/outbound ports should I open on our firewall in this case?

I have tried outbound udp 123 and inbound all ports with no luck.


Question by:jimmy1829
  • 3
  • 2
  • 2
  • +1

Expert Comment

ID: 35435569
Depending on your firewall you should not need to open any. The server will go out to the net to do request. But if you do need to open outbound udp 123
LVL 16

Expert Comment

ID: 35435585
Typically, I find I need outbound TCP/123 (with replies allowed) and UDP/123 (in both directions) for this to work.

Author Comment

ID: 35435644
thanks guys,

We do not want all ports to open for inbound traffic. What should I do?
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.


Author Comment

ID: 35435752
I tried outbound tcp and udp 123 with no luck.

Any other outbound port I need to open?
LVL 16

Expert Comment

ID: 35436025
Please read this:


In short, ntp client sends UDP request from random port >1023 to port 123 on ntp server.
It waits response on the same originating port. Your firewall should be able to keep
open originating port for UDP traffic from ntp server.

Author Comment

ID: 35436141

So that means all non-standard ports need to be open for outbound traffic?
LVL 16

Accepted Solution

jimbobmcgee earned 2000 total points
ID: 35436830
What firewall are we talking about?  In Cisco speak, for example, typically:

    interface Ethernet0/0
        nameif outside
        security-level 0
    interface Ethernet0/1
        nameif inside
        security-level 100

will take care of it, as you can implicitly go from inside to outside, which sets up a reversible xlate.  If the security-levels were not taken into account, though, e.g. because of access-groups, it might look like:

object-group network INSIDE_LAN
object-group network NTP_SERVERS
    network-object host
    network-object host
    network-object host
object-group service NTP_PORTS
    service-object udp eq 123

access-group AG_OUTSIDE_IN in interface outside
access-group AG_INSIDE_IN in interface inside

access-list AG_INSIDE_IN extended permit udp object-group INSIDE_LAN object-group NTP_SERVERS object-group NTP_PORTS
should do it, because the Cisco will still set up a one-off reverse-rule for the reply.

If your firewall is stateful, it should take care of this for you, from a LAN to WAN perpsective.  If you have disabled this, or your firewall is not stateful/application aware, you will need to open rules akin to (pseudo):

allow udp LAN:>1024 to WAN:
allow udp WAN: to LAN:>1024
allow udp LAN:>1024 to WAN:
allow udp WAN: to LAN:>1024
allow udp LAN:>1024 to WAN:
allow udp WAN: to LAN:>1024
although I can't see a reliable way to get the reply traffic back to the requesting client, if you have no stateful system, unless you can do port triggering, akin to (pseudo):

if udp LAN:>1024 accesses WAN:
  then allow udp WAN: to LAN:originator
  and route udp WAN: to LAN:originator
In any case, make sure that your source and destination ports are the right way around...
LVL 16

Expert Comment

ID: 35437328
You don't have to open all non-standart ports. In terms of pf firewall (OpenBSD or FreeBSD)

pass out inet proto udp from me to any port 123 keep state

Keeping state for udp means that firewall will open inbound udp port from which outbound
udp request come and will close this port after response is received.
I think that all hardware firewalls also have similar features.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question