We help IT Professionals succeed at work.

NTP port needed to open on firewall

40,388 Views
Last Modified: 2012-05-11
Hi Experts,

We have to allow our internal servers to sync with Internet NTP server, which inbound/outbound ports should I open on our firewall in this case?

I have tried outbound udp 123 and inbound all ports with no luck.

Thanks,

Jimmy
Comment
Watch Question

Depending on your firewall you should not need to open any. The server will go out to the net to do request. But if you do need to open outbound udp 123
Typically, I find I need outbound TCP/123 (with replies allowed) and UDP/123 (in both directions) for this to work.

Author

Commented:
thanks guys,

We do not want all ports to open for inbound traffic. What should I do?

Author

Commented:
I tried outbound tcp and udp 123 with no luck.

Any other outbound port I need to open?

Commented:
Please read this:

http://www.cs.ait.ac.th/~on/O/oreilly/tcpip/firewall/ch08_13.htm

In short, ntp client sends UDP request from random port >1023 to port 123 on ntp server.
It waits response on the same originating port. Your firewall should be able to keep
open originating port for UDP traffic from ntp server.

Author

Commented:
thanks,

So that means all non-standard ports need to be open for outbound traffic?
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Commented:
You don't have to open all non-standart ports. In terms of pf firewall (OpenBSD or FreeBSD)

pass out inet proto udp from me to any port 123 keep state

Keeping state for udp means that firewall will open inbound udp port from which outbound
udp request come and will close this port after response is received.
I think that all hardware firewalls also have similar features.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.