Link to home
Start Free TrialLog in
Avatar of jimmy1829
jimmy1829Flag for Canada

asked on

NTP port needed to open on firewall

Hi Experts,

We have to allow our internal servers to sync with Internet NTP server, which inbound/outbound ports should I open on our firewall in this case?

I have tried outbound udp 123 and inbound all ports with no luck.

Thanks,

Jimmy
Avatar of perfectpc
perfectpc

Depending on your firewall you should not need to open any. The server will go out to the net to do request. But if you do need to open outbound udp 123
Typically, I find I need outbound TCP/123 (with replies allowed) and UDP/123 (in both directions) for this to work.
Avatar of jimmy1829

ASKER

thanks guys,

We do not want all ports to open for inbound traffic. What should I do?
I tried outbound tcp and udp 123 with no luck.

Any other outbound port I need to open?
Please read this:

http://www.cs.ait.ac.th/~on/O/oreilly/tcpip/firewall/ch08_13.htm

In short, ntp client sends UDP request from random port >1023 to port 123 on ntp server.
It waits response on the same originating port. Your firewall should be able to keep
open originating port for UDP traffic from ntp server.
thanks,

So that means all non-standard ports need to be open for outbound traffic?
ASKER CERTIFIED SOLUTION
Avatar of jimbobmcgee
jimbobmcgee
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You don't have to open all non-standart ports. In terms of pf firewall (OpenBSD or FreeBSD)

pass out inet proto udp from me to any port 123 keep state

Keeping state for udp means that firewall will open inbound udp port from which outbound
udp request come and will close this port after response is received.
I think that all hardware firewalls also have similar features.