Ingate Firewall 4.2: User Manual
Prev	Appendix C. Common services	Next

NTP

NTP stands for Network Time Protocol. NTP is used for synchronizing computer clocks. The synchronization normally uses a computer with a very accurate clock, e. g., a computer with an atomic clock.

A client computer wanting to synchronize with a server via NTP usually uses a high port on the client, port 123 on the server and the UDP protocol. The server returns data using UDP from port 123 to a high port on the client computer.

Two NTP servers communicating with each other use port 123 and the UDP protocol.

This corresponds to the following service definitions:

Services
Name	Protocol	Firewall type	Client ports	Server ports
ntp	UDP	Packet filter	123, 1024-65535	123
ntp-reply	UDP	Packet filter	123	123, 1024-65535

Outgoing NTP configuration

Using Rules (no NAT)

For the client and the server to be able to communicate, you need two rules, one for each direction. Allow the ntp service from the Inside to the Internet and the ntp-reply service from the Internet to the Inside. N. B.: By doing this, you open all high ports for UDP traffic from the Internet to the Inside. You will have to block services that should not be available by creating firewall rules rejecting the traffic. These rejecting rules must come before the ntp rules in the firewall table. It is advisable to block SMB, NFS and X.

Rules
Client	Server	Service	Action
Inside	Internet	ntp	Allow
Internet	Inside	ntp-reply	Allow

Using Rules (NAT)

For the client and the server to be able to communicate, you need one rule from the Inside to the Internet. The replies need no rules as the NAT system handles this automatically.

Rules
Client	Server	Service	Action
Inside	Internet	ntp	Allow

Incoming NTP configuration

Using Rules (no NAT)

For the client and the server to be able to communicate, you need two rules, one for each direction. Allow the ntp service from the Internet to the ntp server and the ntp-reply service from the ntp server to the Internet.

Rules
Client	Server	Service	Action
Internet	ntp server	ntp	Allow
ntp server	Internet	ntp-reply	Allow

Using Relays (NAT/no NAT)

Use a relay to forward ntp connections to a computer. Example (supposing the internal ntp server has the IP address 192.168.1.17):

Relays
Listen to ...		Relay to ...		Relay type	Allow access from
IP address	Port	DNS name or IP address	Port		Networks
Outside (1.2.3.4)	123	192.168.1.17	123	UDP relay	Internet

If you want the server to know the IP addresses of the clients you should change the UDP relay to a semitransparent UDP port forwarding.

N.B.: The visitors should connect to the outside address of the firewall - addresses inside a NAT:ed network aren't visible on the outside.

Prev	Home	Next
SSH	Up	Traceroute