Why does NTP require bi-directional firewall access to UDP port 123?

linux ntp firewall

From What are the iptables rules to permit ntp?:

iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

Also, from the NTP website:

... ntpd requires full bidirectional access to the privileged UDP port 123. ...

My question is, why? To someone not familiar with NTP, this seems like a potential security hole, especially when I'm asking a client of mine to open up that port in their firewall so that my servers can keep their time synchronised. Does anyone have a decent justification I can give to my client to convince them that I need this access in the firewall? Help is appreciated! :)


Solution 1:

You only need allow incoming traffic NTP's ports if you are acting as a server, allowing clients to sync to you.

Otherwise, the existance of an NTP state will automatically determine whether the incoming NTP packet is blocked or allowed by an existing firewall state that we initiated.

iptables -A OUTPUT -p udp --sport 123 --dport 123 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Please let me know if the iptables rules are proper. I have no experience with iptables. My NTP client stays synchronized on my pfSense router with only an outgoing allow rule because pfSense is a stateful firewall.

Solution 2:

NTP requires bi-directional access on port 123 because the NTP RFC specifies the following regarding the source port of the client:

When operating in symmetric modes (1 and 2), this field must contain the NTP port number PORT (123) assigned by the IANA.

Since the client's source port is 123, when the server sends the response back it'll send it to port 123. Naturally, in order to be able to receive that response the client must allow incoming responses on port 123. Normally responses would come back on some ephemeral port range.

As Ben Cook mentioned above, this is only required when dealing with a stateless firewall as a stateful firewall would allow the response to come back without an explicit rule.

Related

In vim, how can I remap <tab> without also remapping <Ctrl+i>?
Change default font size setting used in Visio 2010
VirtualBox Mac - Is it possible re-map a key for a VM
How can I copy the link in Google without openning the link and the "Google stuff" in the URL? [closed]
How do I add MP3, MP4 and H.264 support to Chromium on Windows?
Remove a language from the language bar in WIndows 10
How to replace dotnet40 with dotnet45?
Disable closing Google's Chrome browser after closing last tab
Getting XAMPP to work with multiple version of PHP
Windows 8 Defragmenter?
Windows equivalent to xargs?
Using dnsmasq with NetworkManager