NTPD: use an unrestricted port for communication
https://stackoverflow.com/questions/232722
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
When querying ntp servers with the command ntpdate, I can use the -u argument to make the source port an unrestricted port (port 1024 and above).
With ntpd, which is meant to run in the background, I can't seem to find a way to turn this option on. So the source port is always 123. It's playing around horribly with my firewall configuration.
Is there a configuration option in ntp.conf to make it use a random source port?
Solution
Doesn't sound look this is possible...see the ntp troubleshooting page:
If you're going to run ntpd, you need to fix your network/firewall/NAT so that ntpd can have full unrestricted access to UDP port 123 in both directions.
If this is not possible, you may need to run ntpd on the firewall itself, so that it can have full unrestricted access to UDP port 123 in both directions, and then have it serve time to your internal clients.
If that's not possible, your only other option may be to buy the necessary hardware to connect to one or more of your own computers and run your own Stratum 1 time server or buy a pre-packaged Stratum 1 time server.
OTHER TIPS
I managed to solve this by replacing the official NTPD with OpenNTPD. While official NTPD is fixed to UDP port 123, OpenNTPD uses unprivileged ports.
I've had this problem before and couldn't find a solution. I ended up just adding an entry to crontab that runs ntpdate once an hour. That gives good enough resolution for anything I do, since my clock never drifts more than 1 second per hour.
You cannot change the NTP port but you can add an iptables cmd to redirect it through a VPN port.
Details: http://openvpn.net/archive/openvpn-users/2007-11/msg00223.html
As @Andy_Whitfield wrote, ntpd cannot do this. But there are alternatives like OpenNTPD and Chrony. AFAIK, Chrony is also used by Android.
In my setup, I use chrony. It uses an unprivileged port for asking remote servers. This technique has much more chances to pass a NAT. It's the same mechanism by the way which also ntpdate -q uses for querying the server, but only when called as an unprivileged user.
I think, the main problem why it sometimes doesn't work is that many routers have NTP implemented themselves to set their internal clock. On these devices the port is in use and thus cannot be NATed. This might even be the case if the device doesn't respond to NTP queries.
You can use source NAT on the host running ntpd to replace the 123 source port with a port number above 1024.
