Firewall blocks Apple's Network Time Protocol

Hi,
I admit to not fully understanding everything about the Firewall on OS X server 10.4.11 and I'm hoping someone can help with a little(?) problem.
On the WAN side, my "gateway" server is connected directly to my SpeedTouch 780 modem with a fixed IP address. On the LAN side are a couple of switches and then an Airport Extreme base station (192.168.2.249). This broadcasts wirelessly to a more distant Airport Express (192.168.2.247). Both WiFi devices are configured to obtain the time from Apple's European servers.
After completing a Carbon Copy Cloner of my OS partition and rebooting on my usual volume I noticed the following denials in my Firewall log:
Dec 28 12:50:16 nl1 ipfw: 65534 Deny UDP 17.72.255.12:123 192.168.2.249:3987 in via en0
Dec 28 12:40:25 nl1 ipfw: 65534 Deny UDP 17.72.255.12:123 192.168.2.247:3814 in via en0
In SA --> Firewall --> Settings --> Services --> Edit Services for: 192.168.1-net (en0/modem connection)
I have the "Allow only traffic for: 192.168.1-net on these ports" checked and
NTP - Network Time Protocol UDP/TCP is also checked.
Under, Edit Services for: any
I have the "Allow only traffic for: any" checked and
NTP - Network Time Protocol UDP/TCP is also checked.
Under, Edit Services for: 192.168.2-net (en1/LAN)
I have the "Allow all traffic for: 192.168.2-net" checked.
1) Why is this traffic being blocked?
2) Why does the port number seem to get changed in transit? (I've got NAT running and Open Directory).
3) Does the configuration under, "Allow only traffic for: any" overrule all other Firewall settings? So if for example a port under, "Allow only traffic for: 192.168.1-net on these ports" wasn't checked but was under, "Allow only traffic for: any", would the traffic be allowed through?
Thanks and happy new year!
Michael Franks

Do you have NTP activated? Does it work? If it doesn't and you have the firewall activated, then open the required port. If it is working then don't worry about it.

Similar Messages

  • NTP(Network Time Protocol) Error whil installing Oracle 11gR2 RAC

    Dear Friends,
    I have installed oracle 11gr2 clusterware software in two node RAC. While i run the CLUVFY.SH, It shows error in NTP configuration.
    1)I add "-x" parameter in "/etc/sysconfig/ntp" configuration file. and start the ntpd service and run the cluvfy.sh . then i got the below error.
    Check: CTSS state
    Node Name State
    rac2 Observer
    rac1 Observer
    CTSS is in Observer state. Switching over to clock synchronization checks using NTP
    Starting Clock synchronization checks using Network Time Protocol(NTP)...
    NTP Configuration file check started...
    The NTP configuration file "/etc/ntp.conf" is available on all nodes
    NTP Configuration file check passed
    Checking daemon liveness...
    Check: Liveness for "ntpd"
    Node Name Running?
    rac2 no
    rac1 no
    Result: Liveness check failed for "ntpd"
    PRVF-5415 : Check to see if NTP daemon is running failed
    Result: Clock synchronization check using Network Time Protocol(NTP) failed
    PRVF-9652 : Cluster Time Synchronization Services check failed
    Post-check for cluster services setup was unsuccessful on all the nodes.
    =============================================================================================
    2)Down the ntpd service in both nodes and run the CLUVFY.SH.
    Check: CTSS state
    Node Name State
    rac2 Observer
    rac1 Observer
    CTSS is in Observer state. Switching over to clock synchronization checks using NTP
    Starting Clock synchronization checks using Network Time Protocol(NTP)...
    NTP Configuration file check started...
    The NTP configuration file "/etc/ntp.conf" is available on all nodes
    NTP Configuration file check passed
    Checking daemon liveness...
    Check: Liveness for "ntpd"
    Node Name Running?
    rac2 no
    rac1 yes
    Result: Liveness check failed for "ntpd"
    PRVF-5415 : Check to see if NTP daemon is running failed
    Result: Clock synchronization check using Network Time Protocol(NTP) failed
    PRVF-9652 : Cluster Time Synchronization Services check failed
    Post-check for cluster services setup was unsuccessful on all the nodes.
    ==========================================================================
    3)Based on some website advice, I down the ntpd service and move the "/etc/ntpd.conf" to another location.Then i got the below error.
    Result: Query of CTSS for time offset passed
    Check CTSS state started...
    Check: CTSS state
    Node Name State
    rac2 Observer
    CTSS is in Observer state. Switching over to clock synchronization checks using NTP
    Starting Clock synchronization checks using Network Time Protocol(NTP)...
    NTP Configuration file check started...
    ERROR:
    PRVF-5402 : Warning: Could not find NTP configuration file "/etc/ntp.conf" on node "rac2"
    PRVF-5405 : The NTP configuration file "/etc/ntp.conf" does not exist on all nodes
    rac2
    PRVF-5414 : Check of NTP Config file failed on all nodes. Cannot proceed further for the NTP tests
    Result: Clock synchronization check using Network Time Protocol(NTP) failed
    PRVF-9652 : Cluster Time Synchronization Services check failed
    =============================================================
    What should i do to solve this issue?? Please help me ...

    Hi,
    I start the ntpd start the service in both node and done the CLUVFY.SH.
    The output is below,
    Checking if CTSS Resource is running on all nodes...
    Check: CTSS Resource running on all nodes
    Node Name Status
    rac2 passed
    rac1 passed
    Result: CTSS resource check passed
    Querying CTSS for time offset on all nodes...
    Result: Query of CTSS for time offset passed
    Check CTSS state started...
    Check: CTSS state
    Node Name State
    rac2 Observer
    rac1 Observer
    CTSS is in Observer state. Switching over to clock synchronization checks using NTP
    Starting Clock synchronization checks using Network Time Protocol(NTP)...
    NTP Configuration file check started...
    The NTP configuration file "/etc/ntp.conf" is available on all nodes
    NTP Configuration file check passed
    Checking daemon liveness...
    Check: Liveness for "ntpd"
    Node Name Running?
    rac2 yes
    rac1 yes
    Result: Liveness check passed for "ntpd"
    Checking NTP daemon command line for slewing option "-x"
    Check: NTP daemon command line
    Node Name Slewing Option Set?
    rac2 yes
    rac1 yes
    Result:
    NTP daemon slewing option check passed
    Checking NTP daemon's boot time configuration, in file "/etc/sysconfig/ntpd", for slewing option "-x"
    Check: NTP daemon's boot time configuration
    Node Name Slewing Option Set?
    rac2 yes
    rac1 yes
    Result:
    NTP daemon's boot time configuration check for slewing option passed
    NTP common Time Server Check started...
    PRVF-5410 : Check of common NTP Time Server failed
    PRVF-5416 : Query of NTP daemon failed on all nodes
    Result: Clock synchronization check using Network Time Protocol(NTP) passed
    Oracle Cluster Time Synchronization Services check passed
    ========================================================================================
    [oracle@rac1 ~]$ /u01/app/grid/oracle/product/10.2.0/db_1/bin/cluvfy comp clocksync
    Verifying Clock Synchronization across the cluster nodes
    Checking if Clusterware is installed on all nodes...
    Check of Clusterware install passed
    Checking if CTSS Resource is running on all nodes...
    CTSS resource check passed
    Querying CTSS for time offset on all nodes...
    Query of CTSS for time offset passed
    Check CTSS state started...
    CTSS is in Observer state. Switching over to clock synchronization checks using NTP
    Starting Clock synchronization checks using Network Time Protocol(NTP)...
    NTP Configuration file check started...
    NTP Configuration file check passed
    Checking daemon liveness...
    Liveness check passed for "ntpd"
    NTP daemon slewing option check passed
    NTP daemon's boot time configuration check for slewing option passed
    NTP common Time Server Check started...
    PRVF-5410 : Check of common NTP Time Server failed
    PRVF-5416 : Query of NTP daemon failed on all nodes
    Clock synchronization check using Network Time Protocol(NTP) passed
    Oracle Cluster Time Synchronization Services check passed
    Verification of Clock Synchronization across the cluster nodes was successful.
    [oracle@rac1 ~]$
    ================================================================================
    I hope the problem solved. Am i correct??

  • Use network time protocol on ciro to get timestamp?

    I would like to grab a timestamp from a network time protocol server like NIST on a cRIO device connected to the internet. How can I do this? There has to be someone in our labview community that has done this before or knows how to do it. Code examples appreciated
    [will work for kudos]
    Solved!
    Go to Solution.

    The network time protocol functionality of the crio synchronizes the crio's internal time to that of a Network Time Protocol server once per minute. This insures the crio's time is always accurate within a few milliseconds (I forget the exact specs).
    Using the article linked earlier i modified the ni-rt.ini file with the code given there and used the ip of one of the NIST Automic Clock NTP servers in Boulder, Colorado, which I found here: http://tf.nist.gov/tf-cgi/servers.cgi
    I have tested and confirmed this works quite well for my application.
    From my understanding, you are trying to use the crio's NTP functionality to synchronize the crio to the clock on your computer. Considering the fact that the crio's clock is much more accurate than the one on your pc, this seems a little backwards. What I would suggest you do is find a program that synchronizes your computer's clock to an external NTP server and choose the same NTP server that you have configured the crio to synchronize to. I recommend one of the NIST servers I told you about. I do know that windows has the ability to synchronize your clock to an NTP server of your choosing and you may not need to get any external software at all, you and your crio would just need an internet connection
    You did not specify what kind of accuracy in your synchronization you were hoping to achieve, but be sure to look at the specs of both the crio sync and the program on your pc to see what kind of accuracy you will be getting. 
    If this is not an option, there is another way to 'synchronize'. If you are using a crio-pc architecture where the pc is triggering an acquisition on the crio you can simply record the pc's time when the trigger is sent and send that timestamp over shared variable to the crio to be recorded along with your data as the time when the acquisition started. Then the dt between data points will remain constant so you can extrapolate timestamps from there.
    I hope I helped. Let me know what you think.
    [will work for kudos]

  • HT4367 APPLE TV3 Network Time missing

    Please, First time I've got my Apple TV and it's being working fine since March 2012 when iI bought it....until now cause like many of you when downloaded Software 5.1 now can not set Network Time, adjust, etc. How long last the warranty ??? thanks.

    Here's what finally worked for me with Apple TV 3rd generation. Out of the box, when setup with wi-fi, it breezed through without any issue. As soon as I powered down and connected it to another tv (same wi-fi network), it got stuck at setting date/time. The remote would help in getting out of it, but the home would only have "Computers" and "Settings" and pretty much useless except for AirPlay. Here's what I did to resolve this:
    1. On your main router, temporarily disable the firewall or set it to the lowest setting allowable (a reboot of the router maybe required).
    2. Restart apple tv via the "restart" option in the "General" option in the main settings menu.
    3. It should breeze through and not show the "Setting date/time" screen.
    4. Once it loads up properly, turn on your fire wall as before  (a reboot of the router maybe required).
    I think it worked for me out of the box, but auto-update to the latest software introduced this bug. So, everytime apple tv tries to synch with the time server, this issue will come back. To disable this, I turned off the "auto time synch" option in Settings -> General.
    I am fairly confident that I'd be able to use steps 1 through 4 anytime this recurs. Possible scenarios causing recurrence of this issue:
    1. Unplugging the power to apple tv or power failures.
    2. OS updates.
    3. Restoring apple tv using "Restore" or via micro-usb and iTunes to the lastest OS.
    Hope this helps. Please post if this works for you.

  • How to get SNTP (Simple Network Time Protocol) time from any time Servers?

    Hi All,
    I am trying to get the date and time from any internet time servers (http://tf.nist.gov/service/time-servers.html). How do I get that within the java program.
    ex: InetAddress address = InetAddress.getByName("time-nw.nist.gov");
    then a variable holds the current date and time (optional any specific time zone)
    Thanks in advance!
    Gajen

    Hi there,
    As an update, AtomicDate ([atomicdate.sourceforge.net|http://atomicdate.sourceforge.net] ) is a clean and flexible Java implementation of the NTP/SNTP protocol. It's main features are integration with the Spring Framework and a network time enabled version of java.util.Date. Cheers!
    AP

  • Network Time Protocol

    Hello,
    In the Date and Time settings box there is a checkbox to have your server set it's time automatically and it is by default set to receive its time from time.apple.com.
    I read that you need to open port 123 on your firewall to have a client recive updated time from a time server that is off site. Is this true for 10.4 servers? Or did apple set it up so you don't have to mess with your firewall?
    Robert

    Do you have NTP activated? Does it work? If it doesn't and you have the firewall activated, then open the required port. If it is working then don't worry about it.

  • Update NTP (Network Time Protocol) wiki article?

    I was trying to set up automatic clock synchronization, so I went here https://wiki.archlinux.org/index.php/Ne … e_Protocol to see how I could do that: first thing it says to install ntp, and that's easy, but then the configuration section is very different from the default /etc/ntp.conf coming with the repository package (version 4.2.6.p2-1), so this is the first reason why I think the article should be updated.
    After that I started KISS-wondering why I should use a memory/bandwidth/cpu-eating daemon if what I want is just synchronize my clock at boot time, nothing more; in fact, configuring ntp that way is useful only for a ntp server, but I'm pretty confident that the large majority of people visiting that page are just looking for a way to sync their clock, so I think that the NTP part of the page should be split in 2 or even better 3 sub sections: 1) ntp server configuration (with ntpd running); 2) simple ntp clock synchronization (with ntpd running); 3) ntp clock synchronization (at boot time or as a cron event) (without ntpd running).
    Subsection 3) should explain how to configure ntp.conf (and maybe /etc/rc.local ? I'm still studying on this) just to be able to have this command
    ntpd -qg
    automatically executed at boot time: maybe appending it to /etc/rc.local (but I'm afraid it's slightly more complicated than that, I'm still studying on it); it could also be reminded that it's possible to run that command at predefined time intervals by creating a cron event.
    Is somebody with more knowledge than me interested in helping?
    (Excuse my approximate English...)

    Ok, I finally managed to find the time to revise the ntp.conf section, this is my first attempt to it:
    ===/etc/ntp.conf===
    The first thing you define in your ntp.conf is the servers your machine will synchronize to.
    NTP servers are classified in a hierarchical system with many levels called "strata": the devices which are considered independent time sources are classified as "stratum 0" sources; the servers directly connected to stratum 0 devices are classified as "stratum 1" sources; servers connected to stratum 1 sources are then classified as "stratum 2" sources and so on. It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability.
    Tipically, stratum 2 servers are used for general synchronization purposes: if you don't already know the servers you're going to connect to, you should use the pool.ntp.org servers (http://www.pool.ntp.org/ or http://support.ntp.org/bin/view/Servers/NTPPoolServers) and choose the server pool that is closest to your location.
    The following lines are just an example:
    server 0.it.pool.ntp.org iburst
    server 1.it.pool.ntp.org iburst
    server 2.it.pool.ntp.org iburst
    server 3.it.pool.ntp.org iburst
    The iburst option is recommended, and sends a burst of packets if it cannot obtain a connection with the first attempt. The "burst" option should never be used without explicit permission and will likely result in blacklisting.
    If you're setting up a ntp server, you need to add localhost as a server, so that, in case it loses internet access, it won't stop serving time to the network; add localhost as a "stratum 10" server (using the "fudge" command) so that it will never be used unless internet access is lost:
    server 127.127.1.0
    fudge 127.127.1.0 stratum 10
    The next thing you have to do is add the drift file (which keeps track of yours clocks time deviation) and optionally the log file location:
    driftfile /var/lib/ntp/ntp.drift
    logfile /var/log/ntp.log
    Now all that's left to do is define the rules that will allow clients to connect to your service (localhost is considered a client too) using the "restrict" command; you should already have a line like this in your file:
    restrict default nomodify nopeer
    This restricts everyone from modifying anything and prevents everyone from querying your time server.
    You can also add other options:
    restrict default kod nomodify notrap nopeer noquery
    In the past, "notrust" option was used too, but its function has changed to mean that authentication with a key is required.
    Following this line, you need to tell ntpd what to allow through into your server; the following line is enough if you're not configuring a ntp server:
    restrict 127.0.0.1
    Otherwise you can add more clients like in this example:
    restrict 1.2.3.4 nomodify
    restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
    This tells ntpd that 1.2.3.4 and all IP addresses from the 192.168.0.0 range will be allowed to synchronize on this server, but they will not be allowed to modify anything. All other IP addresses in the world will still obey the default restrictions (the first line in the ntp.conf).
    In the end, the complete file will look like this (almost all original comments have been stripped out for clarity):
    # Name of the servers ntpd should sync with (these are for Italy as an example)
    server 0.it.pool.ntp.org iburst
    server 1.it.pool.ntp.org iburst
    server 2.it.pool.ntp.org iburst
    server 3.it.pool.ntp.org iburst
    driftfile /var/lib/ntp/ntp.drift
    logfile /var/log/ntp.log
    restrict default nomodify nopeer
    restrict 127.0.0.1
    For a more in-depth explanation of the file, especially if you want to configure your machine as a ntp server, the Gentoo Wiki has a more detailed description.
    Lastly, never forget man pages:
    $ man ntp.conf
    is likely to answer most of your remaining doubts.
    Last edited by kynikos (2011-02-06 23:15:03)

  • Installation of Network Time Protocol Security Fix

    Hi....
    Per App Store, I installed the fix with no issues clicking "install now."  But, Mom's Mac did the automatic install. She saw the message window saying a security update was installed.  But, in the Application Store Upgrade section, this security upgrade is not listed.  Previous software updates are listed. For "fun of it" I downloaded the pkg with the update and "re-installed" it on my Mac,  It installed.
    Questions:
    1. Did I mess up my Mac by doing the install twice?
    2. If not, can I do the same on Mom's Mac to be sure the update is installed?
    3. Why wouldn't the automatic install (on Mom's machine) not show up on the list of updates?  Is this the usual state for automatic updates?
    4. What could I look at to see if the update was installed besides the lupdate list where it doesn't show up.
    Thanks!

    John, many thanks!  Took me a bit to find the install.log, but yes, the entry was there.  For my "self install" on the package, log said, "Installed "NTPUpdateYosemite-2"
    BTW: I checked the fingerprint of the package I downloaded, and it did not match the fingerprint in this Apple article at How to verify the authenticity of manually downloaded Apple Software Updates - Apple Support     But, the fingerprint of the package I downloaded did match the fingerprint of the package for the "Digital Camera RAW Compatibility 6.02" package that came out Dec 15th.  So, I think that the package I used was legit.  Make sense?
    ALSO...I did find this info on Apple website posted today.  About OS X NTP Security Update - Apple Support   It has terminal command for seeing if your NTP is updated.  [Just saw you edited your reply to include this]
    And, finally....Thanks so much for helping a relative newbie to software "stuff"

  • Can't access itunes store or home sharing on apple tv, apple tv 2 keeps saying that network time needs to be set.

    Cant acess itunes store or home sharing on apple tv 2, keeps telling me that network time needs to be set. When I go to time zone section on apple tv - I chose a city...but still no luck. Apparently, can't do anything without the time being set. How do I set this up?

    Yes, I did (turning off and then on again is a way of life for any windows user!). Actually, through a process of trial and error I have fixed the problem although I'm not very comfortable with the fix. For some reason, the OS X firewall is to blame. By relaxing the firewall settings to their most lenient, the iTunes store is now fully accessible via iTunes, and so is the whole of the apple website. Another added side effect has been that general web browsing is now lightning fast.
    I'm therefore left with the (temporary) conclusion that my iMac's internal firewall is only capable of blocking access to the web resources of the people who created it, and slowing my web browser to a crawl.

  • I have turned firewall off but my iphone will still not update. it still says 'network time out' i am using a dell laptop

    i have turned firewall off but my iphone will still not update. it still says 'network time out' i am using a dell laptop and i want to update my iphone4 to iOS 5.

    Things in this thread might be helpful too.
    https://discussions.apple.com/thread/3382814?start=0&tstart=0

  • Apple TV is asking me to set network time. how to do this?

    Apple TV is asking to set network time. How is this done?

    Assuming this is not the first time you have used your Apple TV
    You might try restarting the Apple TV by removing ALL the cables for 30 seconds.
    Also try restarting the router.
    If the problem persists, try a restore, you may want to try the previous procedures several times before doing this.
    If this is a new Apple TV, it may also be that your network router is not allowing access to the timeserver, check that your router allows access over port 123.

  • Apple TV. setting network time

    MMy school's wifi network demands that I log in before using, and Apple TV tries to set network time before I log in. How can I set network time after I log in to the network. I don't seem to see a menu item for this.

    Apple TV cannot set the network time + date

  • Apple TV 2 is asking for network time before I can purchase a movie? Restarted it and still requesting network time. Wifi is connected and works. Any ideas?

    Apple TV 2 is asking for network time before I can purchase a movie? Even restarted it and still did the same thing.
    How do you fix this? My wifi is operating 100% connected and I can access the Itunes Movies etc. How do I get it to work again?

    Welcome to the Apple Community.
    If you've had it working previously, try restarting the Apple TV by removing ALL the cables for a 30 seconds, or a restore if the problem persists.

  • HT204400 my apple tv show "apple TV can't sign in to the itunes store until the network time has benn set."

    my apple tv show "apple TV can't sign in to the itunes store until the network time has benn set."... what is the network time ? how i resolve this?

    Ronaldo, I'm also in Brazil... It seems to be a problem with us... I've been searching the internet and many people have the same problem.
    I also have a thread open here... If you find a solution, please answer it here so that we can share.

  • HT5439 Has anyone had the Network time and date error with Apple TV when traveling?

    Has anyone had the Network time and date error with Apple TV when traveling?

    Jasion,
    Maybe a bit beside the question, but it is always recommended here to open/save from/to own hard disk, and to copy from/to networks and removable media. You may be lucky, at least for a while, but it is better to be safe than sorry.
    In addition to the (far greater) risk of file corruption, some issues are mentioned here:
    http://helpx.adobe.com/illustrator/kb/illustrator-support-networks-removable-media.html

Maybe you are looking for