NTP

NTP

[Steve Comfort]

Hi all,

Could someone tell me what rules I need in order to enable NTP?

Best regards
Steve

Re: NTP

[Gavin Hamill]

On Friday 02 July 2004 11:57, Steve Comfort wrote:
> Hi all,
>
> Could someone tell me what rules I need in order to enable NTP?

Simply allow incoming UDP on port 123. The 'normal' way is for both the source 
and destination ports to be 123, but it is common (esp. with debugging) for 
the source port to be >1024.

Cheers,
Gavin.

Re: NTP

[Antony Stone]

On Friday 02 July 2004 11:57 am, Steve Comfort wrote:

> Hi all,
>
> Could someone tell me what rules I need in order to enable NTP?

NTP uses UDP port 123.

What rules you need depends on what you're trying to do - run an NTP server 
(allow UDP 123 in the INPUT chain), access an NTP server (allow UDP 123 in 
the OUTPUT chain), or allow clients and servers to talk to each other through 
a router (allow UDP 123 through the FORWARD chain).

If in doubt, add a LOG rule, try using the protocol, and see what gets logged 
- that will tell you what sort of packets you need to ACCEPT instead.

Regards,

Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: NTP

[Hudson Delbert J Contr 61 CS/SCBN]

do not i repeat...do not allow inbound ntp with a source port above the root
ports.



####################################
# delbert.hudson@losangeles.af.mil #
#        61cs/scbn, 3-0182         #
####################################


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gavin Hamill
Sent: Friday, July 02, 2004 4:07 AM
To: netfilter@lists.netfilter.org
Subject: Re: NTP


On Friday 02 July 2004 11:57, Steve Comfort wrote:
> Hi all,
>
> Could someone tell me what rules I need in order to enable NTP?

Simply allow incoming UDP on port 123. The 'normal' way is for both the
source 
and destination ports to be 123, but it is common (esp. with debugging) for 
the source port to be >1024.

Cheers,
Gavin.

Re: NTP

[Antony Stone]

On Friday 02 July 2004 5:28 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:

> do not i repeat...do not allow inbound ntp with a source port above the
> root ports.

Why not?   What difference does the client's source port make?

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Gavin Hamill
> Sent: Friday, July 02, 2004 4:07 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: NTP
>
> On Friday 02 July 2004 11:57, Steve Comfort wrote:
> > Hi all,
> >
> > Could someone tell me what rules I need in order to enable NTP?
>
> Simply allow incoming UDP on port 123. The 'normal' way is for both the
> source
> and destination ports to be 123, but it is common (esp. with debugging) for
> the source port to be >1024.
>
> Cheers,
> Gavin.

-- 
There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly

                                                     Please reply to the list;
                                                           please don't CC me.

RE: NTP

[Mark E. Donaldson]

 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Friday, July 02, 2004 11:07 AM
To: netfilter@lists.netfilter.org
Subject: Re: NTP

On Friday 02 July 2004 5:28 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:

> do not i repeat...do not allow inbound ntp with a source port above 
> the root ports.

Why not?   What difference does the client's source port make?

Antony.

Yes - I'm quite curious about this too as the protocol "normally" acts as
follows:
Client > 1023 -> Server 123
Server 123 -> Client > 1023
Server 123 -> Server 123

Re: NTP

[Gavin Hamill]

On Friday 02 July 2004 17:28, Hudson Delbert J Contr 61 CS/SCBN wrote:
> do not i repeat...do not allow inbound ntp with a source port above the
> root ports.

Hi Delbert - would you mind expanding on this to include the reasons why?

Cheers,
Gavin.

Re: NTP

[Antony Stone]

On Friday 02 July 2004 5:28 pm, Hudson Delbert J Contr 61 CS/SCBN wrote:

> do not i repeat...do not allow inbound ntp with a source port above the
> root ports.

Was there ever a follow-up reply about this?

Several people asked for more details, a bit of explanation, or a reference to 
find out more - I didn't see anything back again from Hudson Delbert J Contr?

I'd be very interested to know the reason for the recommendation.

Regards,

Antony.

-- 
Perfection in design is achieved not when there is nothing left to add, but 
rather when there is nothing left to take away.

 - Antoine de Saint-Exupery

                                                     Please reply to the list;
                                                           please don't CC me.

RE: NTP

[Rob Sterenborg]

> > do not i repeat...do not allow inbound ntp with a source port above 
> > the root ports.
> 
> Was there ever a follow-up reply about this?

Not according to my mail history.
Maybe he went on holliday and therefore cannot elaborate on this ..?


Gr,
Rob