From owner-freebsd-questions Mon Jan 28 14:17:24 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.velosystems.net (cx144844-b.pv1.ca.home.com [24.9.137.174]) by hub.freebsd.org (Postfix) with ESMTP id 53FD437B41E for ; Mon, 28 Jan 2002 14:17:11 -0800 (PST) Received: from win2kads (ms [192.168.1.5]) by mail.velosystems.net (Postfix) with SMTP id 5B34A50783; Mon, 28 Jan 2002 14:17:08 -0800 (PST) Message-ID: <001501c1a847$c52b53e0$0501a8c0@VELOSYSTEMS.NET> From: "Steve Wingate" To: "Mark Rowlands" , "Jonathan Chen" , Cc: "Marco Radzinschi" , References: <20020122085250.N7705-100000@mail.radzinschi.com> <20020128072745.A76592@tharmas.rintrah.org> <20020129075727.A2307@grimoire.chen.org.nz> <20020128220550.2293E37B416@hub.freebsd.org> Subject: Re: NTP behind NAT box? Date: Mon, 28 Jan 2002 14:04:34 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > > > I am running ntpd on a machine behind a router which is taking > > > > care of NAT. I have the router forwarding UDP packets on port 123 to > > > > said machine, and NTP is working. > > > > > > > > Now, do I really need to be forwarding UDP/123 to that machine, or will > > > > ntpd work without it? > > > > > > ntpd will make outbound connections to sync the box it is running on with > > > whatever ntp server you connect to in the outside world. > > > > > > in this case you don't need to be forwarding port 123 to it (in fact, > > > that might be a bad idea...) > > > > Hmm. I've just played around with this recently, and it looks like one > > *does* need to forward port 123. A quick check with "ntpq -p" shows that > > if you don't forward the port, all of the servers you try to sync with > > are marked as "rejected". > > > > I run a freebsd firewall / router with ipf and nat, have no ports forwarded > and ntpd runs fine. > > -- I would think if you're keeping state on your outgoing connections that would allow the external NTP response back in. If you're worred about security you could pick 1-2 NTP servers and allow traffic to port 123 from those IPs only, I suppose. I have port 123 NAT'ed to an internal Sparc 20 and my internal machines sync from that. I used to run the NTP server on the gateway box itself. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message