LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-17-2014, 05:05 PM   #1
Sum1
Member
 
Registered: Jul 2007
Distribution: Fedora, CentOS, and would like to get back to Gentoo
Posts: 332

Rep: Reputation: 30
["SOLVED"] ntp requires open udp port 123


Got caught in a logic loop trying to sync time on my router/gateway today.

It turns out you can avoid much "testing" if you have the correct port open to allow the ntp daemon to do its job.

Code:
$IPT -t filter -I INPUT -p udp --dport 123 -j ACCEPT
$IPT -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
HTH. :-)
 
Old 09-17-2014, 05:31 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Hmmm, if you're using a strict policy (default DROP and allowing traffic using explicit ACCEPT rules) then IMHO both clients and server should have an "INPUT -m state --state ESTABLISHED -j ACCEPT" rule (receive answers), clients should have an "OUTPUT -m state --state NEW -p udp -d [LAN_NTPd] --dport 123 -j ACCEPT" rule (send requests to LAN NTP server == router/gateway) and the router/gateway should have the "INPUT -m state --state NEW -p udp -s [LAN_clients] --dport 123 -j ACCEPT" and "OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT" rules. If you would have those rules in place you would have avoided for example being part of a public CVE-2013-5211 DoS even if you would have run a vulnerable NTPd. On top of that the NTP daemon should be configured to only listen to the LAN side and only accept time corrections from well-known higher stratum (lower number) NTP servers. Just my two cents.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
"Firewall UDP Packet Source Port 53 Ruleset Bypass" fantasygoat Linux - Security 8 12-14-2009 02:16 PM
can't open default font "fixed" (problem solved,it's so silly) jimmerlin Linux From Scratch 1 11-24-2008 08:24 PM
service called "doom" using udp port 666 djcham Linux - Networking 1 12-13-2006 01:38 PM
NTP listening on UDP+TCP(!)/123 hugohindemith Linux - Networking 4 12-15-2003 10:11 AM
firewall.rc.config says :"open port 8080" but nmap says port is closed saavik Linux - Security 2 02-14-2002 12:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration