LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   inbound/outbound connections required for NTP? (http://www.linuxquestions.org/questions/linux-networking-3/inbound-outbound-connections-required-for-ntp-947188/)

borgy95 05-28-2012 04:02 AM

inbound/outbound connections required for NTP?
 
Just wanted to check,

is an inbound and outbound connection along port123 required for NTP? Or can i establish an outbound connection only?

If it is normally in/outbound required is there a way to work it outbound only as the firewall policy i am under blocks all inbound connections being established.

acid_kewpie 05-28-2012 04:21 AM

the client would go to the server, which mostly would be seen as an "outbound" connection based on an average network. This is on UDP 123.

borgy95 05-28-2012 06:07 AM

that's good. As long as the ntp server never needs to generate an inbound connection i'm a happy chap. thanks

acid_kewpie 05-28-2012 06:13 AM

oh no, public NTP servers list ones available under pool.ntp.org would have to send data out to thousands and thousands of systems!

borgy95 05-28-2012 06:16 AM

Quote:

Originally Posted by acid_kewpie (Post 4689347)
oh no, public NTP servers list ones available under pool.ntp.org would have to send data out to thousands and thousands of systems!

you're confusing me know hehe :)

Is that "oh no they don't need top create inbound connections because xxxx"?

Im pretty sure that's what you mean. but when i set this up i have to be 100%.

acid_kewpie 05-28-2012 06:37 AM

A server has no idea who its clients are, it's totally stateless and when in a standard client / server style usage, there is only ever ever a request from the client to the server, which is a request for the current time. There is, to my knowledge, no other ntp request possible. It's not possible to "send" the time only request it.

borgy95 05-28-2012 06:55 AM

great, thanks for taking the time to explain this.

rrdansmith 02-08-2013 08:11 AM

Just in case anyone else was looking...this thread seems a bit misleading.

NTP is a UDP based protocol. That means that there is no end to end communication. You send a packet or you receive a packet, and that's the end of it.

With NTP, you send a request packet out. The server then sends a response packet back.
Those are two separate connections...so it is required that your firewall allow NTP (123/udp) inbound as well as outbound.

As far as I know, there isn't a way to do NTP without opening your firewall, using a DMZ, or setting up your own stratum 1 server.

acid_kewpie 02-08-2013 08:33 AM

No dude, that's not true at all. Any decent firewall will permit connection tracking on UDP. You couldn't possibly do NAT if it couldn't. If I have 20 PC's on a private LAN and they all sync to pool.ntp.org, in your explanation, a client send an NTP query, the firewall NAT's the LAN IP to a public IP and of it goes. Independently, and supposedly oblivious to the request being made, an unknown server on the internet fires an NTP response at the firewall. What then? How is this data ever supposed to get back to the internal client? Why would a client allow it blindly in?

UDP originally mandated 123 as the SOURCE port, but this is no longer required in any modern implementation of the service.

I'd suggest you reading up more about UDP in general before signing up just to provide incorrect information :-)

But now you have signed up, please feel more than welcome to stay a while.


All times are GMT -5. The time now is 02:15 AM.