Date: Mon, 28 Jan 2002 14:04:34 -0800 From: "Steve Wingate" <steve@velosystems.net> To: "Mark Rowlands" <fuc952d@tninet.se>, "Jonathan Chen" <jonc@chen.org.nz>, <devin-freebsdquestions@rintrah.org> Cc: "Marco Radzinschi" <marco@radzinschi.com>, <freebsd-questions@FreeBSD.ORG> Subject: Re: NTP behind NAT box? Message-ID: <001501c1a847$c52b53e0$0501a8c0@VELOSYSTEMS.NET> References: <20020122085250.N7705-100000@mail.radzinschi.com> <20020128072745.A76592@tharmas.rintrah.org> <20020129075727.A2307@grimoire.chen.org.nz> <20020128220550.2293E37B416@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > I am running ntpd on a machine behind a router which is taking > > > > care of NAT. I have the router forwarding UDP packets on port 123 to > > > > said machine, and NTP is working. > > > > > > > > Now, do I really need to be forwarding UDP/123 to that machine, or will > > > > ntpd work without it? > > > > > > ntpd will make outbound connections to sync the box it is running on with > > > whatever ntp server you connect to in the outside world. > > > > > > in this case you don't need to be forwarding port 123 to it (in fact, > > > that might be a bad idea...) > > > > Hmm. I've just played around with this recently, and it looks like one > > *does* need to forward port 123. A quick check with "ntpq -p" shows that > > if you don't forward the port, all of the servers you try to sync with > > are marked as "rejected". > > > > I run a freebsd firewall / router with ipf and nat, have no ports forwarded > and ntpd runs fine. > > -- I would think if you're keeping state on your outgoing connections that would allow the external NTP response back in. If you're worred about security you could pick 1-2 NTP servers and allow traffic to port 123 from those IPs only, I suppose. I have port 123 NAT'ed to an internal Sparc 20 and my internal machines sync from that. I used to run the NTP server on the gateway box itself. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001501c1a847$c52b53e0$0501a8c0>