Do I need to open ports for NTP?

I just noticed that my hwclock was off by nearly 30 seconds. It's almost certainly due to the recent initscripts update.
As I was looking into resetting the clock, I found out that openntpd is deprecated so I've switched to ntp, configured the daemon, reset the time with ntpd -q, and started the daemon. The time is not accurate again.
I remember back when I first installed Arch I tried to set up ntp but it didn't seem to work, so I tried openntpd and stuck with that. I reached the conclusion that ntp required open ports, which I felt was unnecessary given that openntpd could do the same thing without open ports.
Now that I'm looking at it again, I can't find any definitive answer...
Do I need to open ports for ntp if I only want to sync the system that it's running on?

ISC ntpd (the ntp package) will open UDP 123 on all your interfaces regardless of what you do with it. It will work anyway even if you block this port in iptables, assuming that you're allowing responses to established traffic as usual - your outbound mobilization requests to your chosen servers will be enough to allow the responses, and the same with further traffic sent for the lifetime of ntpd. Using iptables like this is probably the easiest way to secure ntpd.
There's also some defense in depth you can do:
- run ntpd as non-root
- run it chrooted to some safe directory (really only makes sense when doing non-root as well, since root can break out of a chroot)
- apply ntpd's built-in access controls (see examples in ntpd.conf, and full docs in ntp_acc(5))
I accomplish the first two of these by chowning /var/lib/ntp (and any contents) to ntp:ntp (so ntpd can write ntp.drift there when non-root), by using a driftfile path relative to the chroot in ntp.conf, and by setting NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp" in /etc/conf.d/ntp-client.conf.
For the third, I chose to not allow any remote traffic to initiate anything with my ntpd, with this /etc/ntp.conf:
server ac-ntp0.net.cmu.edu iburst
server ac-ntp1.net.cmu.edu iburst
server ac-ntp2.net.cmu.edu iburst
server ac-ntp3.net.cmu.edu iburst
server ac-ntp4.net.cmu.edu iburst
restrict default nomodify nopeer noquery
restrict 127.0.0.1
driftfile /ntp.drift
Note the two "restrict" lines. The first shuts out remote access of most kinds, and the second allows the local machine all the access that would also be denied to it as well otherwise by the first rule. Note also the driftfile path, relative to the chroot of /var/lib/ntp/.
With all these security features, ISC ntpd can be just as safe as openntpd.
The use of the "iburst" keyword on the server lines to recover more quickly from out-of-contact conditions is also quite nice, and not rude to the remotes like "burst" would be.
One of the nicest other features of ISC ntpd is that it's smart enough to notice when network state changes occur, like bringing a VPN up/down, changing routes, or switching from wired to wireless and back. openntpd tended to just lose connections in these cases.

Similar Messages

  • Do i need to open port for crash plan online backup service

    do i need to open port for crash plan online backup service?
    Thanks!

    Possibly. I would start by checking out this CrashPlan support article. CrashPlan does require certain ports on both your computer's and network router's firewall to be open in order to communicate properly.

  • Do I need to open ports for my services if I am connecting through VPN

    Hi,
    I work in a small office and we are trying to connect people remotely to our server through VPN.
    Using the Server App I managed to make VPN work and successfully connected to our file share points, so that means file sharing worked without opening ports for afp on my Airport router.
    On the other side I cant connect to other services as iCal and Address Book as I am locally in the office. Does that mean I have to open the ports for those services on the router, if yes then why use VPN in the first place.
    Thanks,

    If I understood you correctly:
    External client -> (server.domain.name) -> Router -> Server: is working
    Internal client -> (server.domain.name) -> Router -> Server: is not working
    Internal client -> (local ip) -> Server: is working
    If yes, you can implement a-la "split zone DNS".
    1. On the external DNS your domain name server.domain.name resolved to the external router IP.
    2. You should add record (and zone) server.domain.name to your OS X Lion Server DNS pointing to local IP
    When you are connected to VPN, system sets DNS server to your Lion server and server.domain.name is resolving to local IP.
    When you are working without VPN, system use external DNS and server.domain.name is resolving to external IP.
    Of course, you should open ports for your services on the router is you want to use them from external network.
    I am using this configuration and it works perfectly.

  • Open port for Software Update Point

    hallo
    i need open port for the Software Update Point (wsus) ?
    thanks
    אם תגובתי פתרה את בעייתך - לחץ/י, על "סמן כתשובה" ליד סימן ה V הירוק.

    For a default installation of WSUS that would be HTTP 8530 or HTTPS 8531
    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

  • Opening ports for Windows computers...

    Hi Everyone! This is my first post on the official forums!
    I am currently sharing my internet connection (ethernet) through my Macbook wirelessly to my windows PC.
    It all works very well as long as just use port 80 for simple web-surfing but whenever i use programs (Steam and Bittorrent) that use other ports i don't seem to get a connection.
    The firewall in my Macbook is turned off...
    Thanks in advance!
    MVH//Kalle from Sweden

    Hi Kalle... & Welcome to the Discussions!
    You might need to open ports on any Roiter the Mac is connected to, but you didn't mention such a thing...
    http://docs.info.apple.com/article.html?artnum=106439
    http://en.wikipedia.org/wiki/Listof_TCP_and_UDP_portnumbers

  • I have an Airport Extreme and need to open ports in order to view my CCTV system remotely.  How am I able to do this?

    I have an Airport Extreme and need to open ports in order to view my CCTV system remotely.  How am I able to do this?  The company that supports the system says I need to open the following - 8200, 8016, 8116, 10019, 12088.  All help is appreciated.

    Open AirPort Utility on the PC, select the Airport Extreme and click Manual Setup
    Click the Advanced icon
    Click the Port Mapping tab
    Click the + (plus) button at the bottom of the connection list to set things up
    Reference pages 49-51 in the Apple AirPort Networks guide for more info
    IF.....you do not see a Port Mapping tab when you click the Advanced icon, then that would mean that the AirPort Extreme is in Bridge Mode and the main routing functions for the network are being provided by another device.
    You will need to set up the port mapping on that device, which is likely your modem/router or gateway.

  • Open ports for all in LAN

    Hi, a few days ago I bought a wireless router WRT160n. I want to ask how to open some port for all in LAN(3 clients). For example all in LAN have PeerToPeer application for torrents. I want to open port for example 20202 for all. Now I open port from menu Applications & Gaming->Single Port Forwarding, but I must set port for each user IP address.
    Can somebody tell me how to open port for all in LAN without to config for each computer?
    Thanks in advance.

    Hi gv. I read more about UPnP and the WRT160n User Guide. In section Administration>managment int wrote that UPnP is Enabled by default in my router it is corect. I Setup mu PeerToPeer(eMule) TCP/UDP ports to 20202 and check option "Use UPnP to setup ports". I test and close this port on my router configuration for my computer on "Single Port Forwarding", but in eMule the port is still block. Can you explain why it did not work. For UPnP it says that if Enable it allow users with Windows ME and XP automatically to gonfigure Router ports
    Thanks in advance!
    Best Regards.

  • I installed acrobat pro on my computer, and now I am unable to download items because I get a message that I need to open acrobat for the user agreement. opening acrobat pro does not help.

    I installed acrobat pro on my computer, and now I am unable to download items because I get a message that I need to open acrobat for the user agreement. opening acrobat pro does not help. What do i do?

    I have not contacted Adobe. I am using acrobat pro CC, and haven't noticed any problem with the software itself. The only problem I have had so far is when I try to download.

  • Error opening port for replicat

    Hi Guys,
    I m getting below, while sending statust on target.
    GGSCI (PMS) 15>info all
    program Status Group Lag Time Since Ckpt
    MANAGER RUNNING
    REPLICAT RUNNING REPYA 243:53:20 53:49:42
    GGSCI (PMS) 16> send repya status
    Sending STATUS request to REPLICAT REPYA ...
    ERROR: opening port for REPLICAT REPYA (Connection timed out).
    #cat REPYA.pcr
    PROGRAM REPLICAT PROCESSID REPYA PORT PMS.7840 PID 26342
    #telnet PMS 7840
    Trying...
    telnet:Unable to connect to remote host:Connection timed out
    What could be issue ???

    The server where Replicat is running is up? Can the server be pinged/telnet by another server? Can the source server connect anywhere else? Firewall? Network services running? Network troubleshooting 101.

  • How to open Ports for App running in VPC

    Trying to open ports for a Windows app that I am running via VPC but the application still shows the port is unreachable.
    So far I have, opened the port in Mac OSX Firewall, opened ports on my D-Link DSL504G router, disabled the Windows firewall (plus opened the ports in case it became enabled).
    Have also redirected the ports to the IP address within VPC Windows and the Mac itself.
    Have run out of ideas as nothing seems to work.
    Regards
    Alan

    Try the following ...
    AEBSn - Port Mapping Setup
    To setup port mapping on an 802.11n AirPort Extreme Base Station (AEBSn), either connect to the AEBSn's wireless network or temporarily connect directly, using an Ethernet cable, to one of the LAN port of the AEBSn, and then use the AirPort Utility, in Manual Setup, to make these settings:
    1. Reserve a DHCP-provided IP address for the host device.
    Internet > DHCP tab
    o On the DHCP tab, click the "+" (Add) button to enter DHCP Reservations.
    o Description: <enter the desired description of the host device>
    o Reserve address by: MAC Address
    o Click Continue.
    o MAC Address: <enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the host computer>
    o IPv4 Address: <enter the desired IP address>
    o Click Done.
    2. Setup Port Mapping on the AEBSn.
    Advanced > Port Mapping tab
    o Click the "+" (Add) button
    o Service: <choose the appropriate service from the Service pop-up menu>
    o Public UDP Port(s): <enter the appropriate UDP port values>
    o Public TCP Port(s): <enter the appropriate TCP port values>
    o Private IP Address: <enter the IP address of the host server>
    o Private UDP Port(s): <enter the same as Public UDP Ports or your choice>
    o Private TCP Port(s): <enter the same as Public TCP Ports or your choice>
    o Click "Continue"
    (ref: "Well Known" TCP and UDP ports used by Apple software products)

  • Getting error 'opening port for MGR  (Connection refused).

    Hi Guys,
    I m getting below, while starting replicat on target.
    GGSCI (ggtarget) 16> start replicat RLOAD
    Sending START request to MANAGER ...
    ERROR: opening port for MGR MGR (Connection refused).
    GGSCI (ggtarget) 20> view param mgr
    PORT 7809
    USERID orgg, PASSWORD orgg
    PURGEOLDEXTRACTS /ggs/dirdat/*, USECHECKPOINTS
    GGSCI (ggtarget) 21> view param rload
    REPLICAT RLOAD
    USERID orgg, PASSWORD orgg
    ASSUMETARGETDEFS
    HANDLECOLLISIONS
    APPLYNOOPUPDATES
    GETUPDATEBEFORES
    reperror default, discard
    DISCARDFILE ./dirrpt/rload.dsc, purge
    MAP HR.TCUSTORD, TARGET HR.TCUSTORD;
    MAP HR.TCUSTMER, TARGET HR.TCUSTMER;
    from Source I could able to do the telnet to target...
    What could be issue ???

    Hi,
    Error:
    GGSCI (ggtarget) 16> start replicat RLOAD
    Sending START request to MANAGER ...
    ERROR: opening port for MGR MGR (Connection refused).
    You can start Manager, but when you try to start Replicat, GGSCI gives me a connection timeout error
    Solution:
    GoldenGate uses a TCP/IP socket to communicate between local processes. When you issue a START, STOP, SEND, or other command in GGSCI, the command interface will try to open a local port for the process.
    Here is how to find out which local ports these processes are listening on. In the dirpcs directory, there will be one file for each running GoldenGate process.
    For Manager, the file name will be MGR.pcm.
    For Extract, it will be <GROUP_NAME>.pce.
    For Replicat, it will be <GROUP_NAME>.pcr.
    These are text files that can be viewed by using cat or any equivalent command. For example, the MGR.cpm file content will read like this:
    PROGRAM MGR PROCESSID MGR PORT sys1.4356 PID 60070
    After the keyword PORT will be the local hostname and the port number that Manager is supposed to be running on. In the preceding example, the hostname is sys1, and the port is 4356.
    The program (ggsci) tries to use that hostname to communicate to the process (Extract/Replicat/Manager) when the command is issued in GGSCI. If you get a timeout or connection-refused error on the command, that means GoldenGate could not connect to the local host. Most of the time, you should have no problem connecting to a local host, but when you have the wrong IP address or routine table configured in your TCP/IP settings, connection errors can happen.
    To troubleshoot this, follow the steps below
    1. Try to ping that host name from the OS shell to see if it goes to the correct IP address (which should be the one for the local system).
    2. If the ping is successful, try to telnet to the Manager port on your local host. You will be able to see your telnet session connect if a Manager is listening on that port.
    Here is an example:
    shell>telnet
    telnet> open sys1 4356
    Trying 100.100.100.100...
    Connected to sys1.oracle.com (100.100.100.100).
    Escape character is '^]'.
    3. If your telnet session times out or gets a connection-refused error, that means either the hostname is wrong or the port number is wrong.
    If the ping to the hostname listed in the pcm/pce/pcr file fails, or if you cannot connect your telnet session to the port listed in the file(s), contact your network engineers to get the TCP/IP issue resolved.
    Hope this information helps.
    Thanks & Regards
    Santhosh

  • How to forward/open ports for WRT54G?

    Hi. I recently bought a WRT54G because my old router was destroyed by lightening and thunder. I have managed to set it up, and got the interent itself to work with static IP adress (192.168.1.101 for my PC).
    However, even though I have tried to forward/open ports for applications like uTorrent and DC++ as well as Limewire, I have no luck. When I test if the ports are indeed opened, I get the result that they are not. Here are how my port forward setting looks like for utorrent. The port in the settings image is of course the same as in uTorrent.
    http://www.pictub.com/quickupload/01/untitled-1mb4wd.jpg
    I can't seem to open any ports, even though I have followed tutorials like the ones at portforward.com. I have the latest firmware for my router, as I flashed it when I got it. Help .

    Yes, I did .
    Anyways, look what I found in the uTorrent FAQ:
    1.7 Special note for users with Linksys WRT54G/GL/GS routers, there are severe problems with them when running any P2P application
    To fix it, they say one has to flash with a unofficial firmware, but I will rather get the money back and buy another router tomorrow. Thanks for the help anyways .

  • Hello Forum, you need a serial ports for software icprog to program EPROM and Pic

    Hello Forum, you need a serial ports for software icprog to program EPROM and Pic.I was wondering if this or a similar card is compatible with my Lenovo Desktop h50-50 -->  -> PCI-E 2 serial ports and 1 parallel port PCI-Controller Card 3 Port ► http://fli.zz.mu/cut/scheda-pci-e-2-porte-seriali-1-porta-parallela .
    My my Lenovo Desktop h50-50 upgrade to win 10,  If it is not compatible to win 10. I could use it too virtualizing win Xp? Thank since TIME FOR ANSWERS, I apologize for my bad English.
    THANK Joe  

    Unfortunately, no Sanyo phones are iSync compatible so you will not be able to synchronize your Contacts and Calendars with the phone.
    Also, you may have problems with the Bluetooth adapter you purchased, as the only one officially supported by Apple for use with Macs is the D-Link DBT-120.
    The Official Apple list of iSync compatible devices is here:
    http://www.apple.com/macosx/features/isync/devices.html
    It's always a good idea to check this list before purchasing a new phone.
    Other phones are supported by third party plugins from here and here. But still no Samsung, Sanyo, LG etc. who all use thier own proprietary syncing protocols rather than the industry standard SyncML. These manufacturers also don't provide Mac software with their phones like the do for Windows users.
    I'm afraid you're not going to have much luck if you stick with the Sanyo. I would seriously consider taking it back and swapping it for one of the handsets on the above linked pages. Personally I would recommend a Sony Ericsson model. I've always had excellent Mac compatibility with those.

  • What ports do i need to open up for my wifi

    i need help i need to know the ports i need to open up on my wifi so that my ipod can  connect

    Check these article: iOS: Recommended settings for Wi-Fi routers and access points
    iPod touch and iPhone: Tips when using Wi-Fi and iTunes for Windows: Troubleshooting security software issues

  • I have a game on my xbox one that is telling me I need to open ports in order to play it I am not all that tech savvy and have no idea how to do this

    I have an airport extreme and I am trying to play a new game on my xbox one and it keeps kicking me I have comcast internet that is more than fast enough so I went to the games site and it says I need to either create a static ip or to open ports no idea how to do either of these or what that does any help would be appreciated.

    There are heaps of posts here about how to open ports on apple routers specifically for xboxes.
    AirPort Extreme and xbox 360

Maybe you are looking for

  • Importing Contact Persons through DTW

    Hi, I´am trying to import Contact Persons through DTW. These "Contact Persons" belong to Business Partners that already have "Contact Persons". I want to add new contact persons to these Business Partners. The problem that instead of adding those Con

  • How can I disable the mouse pad? I prefer to use a mouse.

    The pad is particularly a nuisance when I try to type, perhps I catch it with my wrists, I don't know. I'd rather use a mouse.

  • Make Video Tutorials (newbie)

    Ok this might be a newbie question. On YouTube I see many people who make tutorials on how to use websites and so forth. The question is how do they do this? Can it be done in iMovie? For instance I want to show people how to log into my website and

  • Sequence of transports in CHARM ?

    We have multiple transports (Workbench Requests and Customizing Requests) in a given Change Document. What is the sequence of transports when the Change Document gets processed (imported) ? Does it matter if the Change Document is normal correction o

  • How can I get net newest version of iWeb?

    Have a site which are build with iWeb. I have lost the app last time i had a new system. Any solution?