NTPD: use uma porta irrestrita para comunicação
https://stackoverflow.com/questions/232722
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
Ao consultar servidores NTP com o comando ntpdate, Eu posso usar o -você Argumento para tornar a porta de origem uma porta irrestrita (porta 1024 e acima).
Com o NTPD, que deve ser executado em segundo plano, não consigo encontrar uma maneira de ativar essa opção. Portanto, a porta de origem tem sempre 123. Está jogando terrivelmente com a minha configuração de firewall.
Existe uma opção de configuração em ntp.conf Para fazê -lo usar uma porta de origem aleatória?
Solução
Doesn't sound look this is possible...see the ntp troubleshooting page:
If you're going to run ntpd, you need to fix your network/firewall/NAT so that ntpd can have full unrestricted access to UDP port 123 in both directions.
If this is not possible, you may need to run ntpd on the firewall itself, so that it can have full unrestricted access to UDP port 123 in both directions, and then have it serve time to your internal clients.
If that's not possible, your only other option may be to buy the necessary hardware to connect to one or more of your own computers and run your own Stratum 1 time server or buy a pre-packaged Stratum 1 time server.
Outras dicas
I managed to solve this by replacing the official NTPD with OpenNTPD. While official NTPD is fixed to UDP port 123, OpenNTPD uses unprivileged ports.
I've had this problem before and couldn't find a solution. I ended up just adding an entry to crontab that runs ntpdate once an hour. That gives good enough resolution for anything I do, since my clock never drifts more than 1 second per hour.
You cannot change the NTP port but you can add an iptables cmd to redirect it through a VPN port.
Details: http://openvpn.net/archive/openvpn-users/2007-11/msg00223.html
As @Andy_Whitfield wrote, ntpd cannot do this. But there are alternatives like OpenNTPD and Chrony. AFAIK, Chrony is also used by Android.
In my setup, I use chrony. It uses an unprivileged port for asking remote servers. This technique has much more chances to pass a NAT. It's the same mechanism by the way which also ntpdate -q uses for querying the server, but only when called as an unprivileged user.
I think, the main problem why it sometimes doesn't work is that many routers have NTP implemented themselves to set their internal clock. On these devices the port is in use and thus cannot be NATed. This might even be the case if the device doesn't respond to NTP queries.
You can use source NAT on the host running ntpd to replace the 123 source port with a port number above 1024.
