Firewall blocks Apple's Network Time Protocol
Hi,
I admit to not fully understanding everything about the Firewall on OS X server 10.4.11 and I'm hoping someone can help with a little(?) problem.
On the WAN side, my "gateway" server is connected directly to my SpeedTouch 780 modem with a fixed IP address. On the LAN side are a couple of switches and then an Airport Extreme base station (192.168.2.249). This broadcasts wirelessly to a more distant Airport Express (192.168.2.247). Both WiFi devices are configured to obtain the time from Apple's European servers.
After completing a Carbon Copy Cloner of my OS partition and rebooting on my usual volume I noticed the following denials in my Firewall log:
Dec 28 12:50:16 nl1 ipfw: 65534 Deny UDP 17.72.255.12:123 192.168.2.249:3987 in via en0
Dec 28 12:40:25 nl1 ipfw: 65534 Deny UDP 17.72.255.12:123 192.168.2.247:3814 in via en0
In SA --> Firewall --> Settings --> Services --> Edit Services for: 192.168.1-net (en0/modem connection)
I have the "Allow only traffic for: 192.168.1-net on these ports" checked and
NTP - Network Time Protocol UDP/TCP is also checked.
Under, Edit Services for: any
I have the "Allow only traffic for: any" checked and
NTP - Network Time Protocol UDP/TCP is also checked.
Under, Edit Services for: 192.168.2-net (en1/LAN)
I have the "Allow all traffic for: 192.168.2-net" checked.
1) Why is this traffic being blocked?
2) Why does the port number seem to get changed in transit? (I've got NAT running and Open Directory).
3) Does the configuration under, "Allow only traffic for: any" overrule all other Firewall settings? So if for example a port under, "Allow only traffic for: 192.168.1-net on these ports" wasn't checked but was under, "Allow only traffic for: any", would the traffic be allowed through?
Thanks and happy new year!
Michael Franks
Do you have NTP activated? Does it work? If it doesn't and you have the firewall activated, then open the required port. If it is working then don't worry about it.
Similar Messages
-
NTP(Network Time Protocol) Error whil installing Oracle 11gR2 RAC
Dear Friends,
I have installed oracle 11gr2 clusterware software in two node RAC. While i run the CLUVFY.SH, It shows error in NTP configuration.
1)I add "-x" parameter in "/etc/sysconfig/ntp" configuration file. and start the ntpd service and run the cluvfy.sh . then i got the below error.
Check: CTSS state
Node Name State
rac2 Observer
rac1 Observer
CTSS is in Observer state. Switching over to clock synchronization checks using NTP
Starting Clock synchronization checks using Network Time Protocol(NTP)...
NTP Configuration file check started...
The NTP configuration file "/etc/ntp.conf" is available on all nodes
NTP Configuration file check passed
Checking daemon liveness...
Check: Liveness for "ntpd"
Node Name Running?
rac2 no
rac1 no
Result: Liveness check failed for "ntpd"
PRVF-5415 : Check to see if NTP daemon is running failed
Result: Clock synchronization check using Network Time Protocol(NTP) failed
PRVF-9652 : Cluster Time Synchronization Services check failed
Post-check for cluster services setup was unsuccessful on all the nodes.
=============================================================================================
2)Down the ntpd service in both nodes and run the CLUVFY.SH.
Check: CTSS state
Node Name State
rac2 Observer
rac1 Observer
CTSS is in Observer state. Switching over to clock synchronization checks using NTP
Starting Clock synchronization checks using Network Time Protocol(NTP)...
NTP Configuration file check started...
The NTP configuration file "/etc/ntp.conf" is available on all nodes
NTP Configuration file check passed
Checking daemon liveness...
Check: Liveness for "ntpd"
Node Name Running?
rac2 no
rac1 yes
Result: Liveness check failed for "ntpd"
PRVF-5415 : Check to see if NTP daemon is running failed
Result: Clock synchronization check using Network Time Protocol(NTP) failed
PRVF-9652 : Cluster Time Synchronization Services check failed
Post-check for cluster services setup was unsuccessful on all the nodes.
==========================================================================
3)Based on some website advice, I down the ntpd service and move the "/etc/ntpd.conf" to another location.Then i got the below error.
Result: Query of CTSS for time offset passed
Check CTSS state started...
Check: CTSS state
Node Name State
rac2 Observer
CTSS is in Observer state. Switching over to clock synchronization checks using NTP
Starting Clock synchronization checks using Network Time Protocol(NTP)...
NTP Configuration file check started...
ERROR:
PRVF-5402 : Warning: Could not find NTP configuration file "/etc/ntp.conf" on node "rac2"
PRVF-5405 : The NTP configuration file "/etc/ntp.conf" does not exist on all nodes
rac2
PRVF-5414 : Check of NTP Config file failed on all nodes. Cannot proceed further for the NTP tests
Result: Clock synchronization check using Network Time Protocol(NTP) failed
PRVF-9652 : Cluster Time Synchronization Services check failed
=============================================================
What should i do to solve this issue?? Please help me ...Hi,
I start the ntpd start the service in both node and done the CLUVFY.SH.
The output is below,
Checking if CTSS Resource is running on all nodes...
Check: CTSS Resource running on all nodes
Node Name Status
rac2 passed
rac1 passed
Result: CTSS resource check passed
Querying CTSS for time offset on all nodes...
Result: Query of CTSS for time offset passed
Check CTSS state started...
Check: CTSS state
Node Name State
rac2 Observer
rac1 Observer
CTSS is in Observer state. Switching over to clock synchronization checks using NTP
Starting Clock synchronization checks using Network Time Protocol(NTP)...
NTP Configuration file check started...
The NTP configuration file "/etc/ntp.conf" is available on all nodes
NTP Configuration file check passed
Checking daemon liveness...
Check: Liveness for "ntpd"
Node Name Running?
rac2 yes
rac1 yes
Result: Liveness check passed for "ntpd"
Checking NTP daemon command line for slewing option "-x"
Check: NTP daemon command line
Node Name Slewing Option Set?
rac2 yes
rac1 yes
Result:
NTP daemon slewing option check passed
Checking NTP daemon's boot time configuration, in file "/etc/sysconfig/ntpd", for slewing option "-x"
Check: NTP daemon's boot time configuration
Node Name Slewing Option Set?
rac2 yes
rac1 yes
Result:
NTP daemon's boot time configuration check for slewing option passed
NTP common Time Server Check started...
PRVF-5410 : Check of common NTP Time Server failed
PRVF-5416 : Query of NTP daemon failed on all nodes
Result: Clock synchronization check using Network Time Protocol(NTP) passed
Oracle Cluster Time Synchronization Services check passed
========================================================================================
[oracle@rac1 ~]$ /u01/app/grid/oracle/product/10.2.0/db_1/bin/cluvfy comp clocksync
Verifying Clock Synchronization across the cluster nodes
Checking if Clusterware is installed on all nodes...
Check of Clusterware install passed
Checking if CTSS Resource is running on all nodes...
CTSS resource check passed
Querying CTSS for time offset on all nodes...
Query of CTSS for time offset passed
Check CTSS state started...
CTSS is in Observer state. Switching over to clock synchronization checks using NTP
Starting Clock synchronization checks using Network Time Protocol(NTP)...
NTP Configuration file check started...
NTP Configuration file check passed
Checking daemon liveness...
Liveness check passed for "ntpd"
NTP daemon slewing option check passed
NTP daemon's boot time configuration check for slewing option passed
NTP common Time Server Check started...
PRVF-5410 : Check of common NTP Time Server failed
PRVF-5416 : Query of NTP daemon failed on all nodes
Clock synchronization check using Network Time Protocol(NTP) passed
Oracle Cluster Time Synchronization Services check passed
Verification of Clock Synchronization across the cluster nodes was successful.
[oracle@rac1 ~]$
================================================================================
I hope the problem solved. Am i correct?? -
Use network time protocol on ciro to get timestamp?
I would like to grab a timestamp from a network time protocol server like NIST on a cRIO device connected to the internet. How can I do this? There has to be someone in our labview community that has done this before or knows how to do it. Code examples appreciated
[will work for kudos]
Solved!
Go to Solution.The network time protocol functionality of the crio synchronizes the crio's internal time to that of a Network Time Protocol server once per minute. This insures the crio's time is always accurate within a few milliseconds (I forget the exact specs).
Using the article linked earlier i modified the ni-rt.ini file with the code given there and used the ip of one of the NIST Automic Clock NTP servers in Boulder, Colorado, which I found here: http://tf.nist.gov/tf-cgi/servers.cgi
I have tested and confirmed this works quite well for my application.
From my understanding, you are trying to use the crio's NTP functionality to synchronize the crio to the clock on your computer. Considering the fact that the crio's clock is much more accurate than the one on your pc, this seems a little backwards. What I would suggest you do is find a program that synchronizes your computer's clock to an external NTP server and choose the same NTP server that you have configured the crio to synchronize to. I recommend one of the NIST servers I told you about. I do know that windows has the ability to synchronize your clock to an NTP server of your choosing and you may not need to get any external software at all, you and your crio would just need an internet connection
You did not specify what kind of accuracy in your synchronization you were hoping to achieve, but be sure to look at the specs of both the crio sync and the program on your pc to see what kind of accuracy you will be getting.
If this is not an option, there is another way to 'synchronize'. If you are using a crio-pc architecture where the pc is triggering an acquisition on the crio you can simply record the pc's time when the trigger is sent and send that timestamp over shared variable to the crio to be recorded along with your data as the time when the acquisition started. Then the dt between data points will remain constant so you can extrapolate timestamps from there.
I hope I helped. Let me know what you think.
[will work for kudos] -
HT4367 APPLE TV3 Network Time missing
Please, First time I've got my Apple TV and it's being working fine since March 2012 when iI bought it....until now cause like many of you when downloaded Software 5.1 now can not set Network Time, adjust, etc. How long last the warranty ??? thanks.
Here's what finally worked for me with Apple TV 3rd generation. Out of the box, when setup with wi-fi, it breezed through without any issue. As soon as I powered down and connected it to another tv (same wi-fi network), it got stuck at setting date/time. The remote would help in getting out of it, but the home would only have "Computers" and "Settings" and pretty much useless except for AirPlay. Here's what I did to resolve this:
1. On your main router, temporarily disable the firewall or set it to the lowest setting allowable (a reboot of the router maybe required).
2. Restart apple tv via the "restart" option in the "General" option in the main settings menu.
3. It should breeze through and not show the "Setting date/time" screen.
4. Once it loads up properly, turn on your fire wall as before (a reboot of the router maybe required).
I think it worked for me out of the box, but auto-update to the latest software introduced this bug. So, everytime apple tv tries to synch with the time server, this issue will come back. To disable this, I turned off the "auto time synch" option in Settings -> General.
I am fairly confident that I'd be able to use steps 1 through 4 anytime this recurs. Possible scenarios causing recurrence of this issue:
1. Unplugging the power to apple tv or power failures.
2. OS updates.
3. Restoring apple tv using "Restore" or via micro-usb and iTunes to the lastest OS.
Hope this helps. Please post if this works for you. -
How to get SNTP (Simple Network Time Protocol) time from any time Servers?
Hi All,
I am trying to get the date and time from any internet time servers (http://tf.nist.gov/service/time-servers.html). How do I get that within the java program.
ex: InetAddress address = InetAddress.getByName("time-nw.nist.gov");
then a variable holds the current date and time (optional any specific time zone)
Thanks in advance!
GajenHi there,
As an update, AtomicDate ([atomicdate.sourceforge.net|http://atomicdate.sourceforge.net] ) is a clean and flexible Java implementation of the NTP/SNTP protocol. It's main features are integration with the Spring Framework and a network time enabled version of java.util.Date. Cheers!
AP -
Hello,
In the Date and Time settings box there is a checkbox to have your server set it's time automatically and it is by default set to receive its time from time.apple.com.
I read that you need to open port 123 on your firewall to have a client recive updated time from a time server that is off site. Is this true for 10.4 servers? Or did apple set it up so you don't have to mess with your firewall?
RobertDo you have NTP activated? Does it work? If it doesn't and you have the firewall activated, then open the required port. If it is working then don't worry about it.
-
Update NTP (Network Time Protocol) wiki article?
I was trying to set up automatic clock synchronization, so I went here https://wiki.archlinux.org/index.php/Ne … e_Protocol to see how I could do that: first thing it says to install ntp, and that's easy, but then the configuration section is very different from the default /etc/ntp.conf coming with the repository package (version 4.2.6.p2-1), so this is the first reason why I think the article should be updated.
After that I started KISS-wondering why I should use a memory/bandwidth/cpu-eating daemon if what I want is just synchronize my clock at boot time, nothing more; in fact, configuring ntp that way is useful only for a ntp server, but I'm pretty confident that the large majority of people visiting that page are just looking for a way to sync their clock, so I think that the NTP part of the page should be split in 2 or even better 3 sub sections: 1) ntp server configuration (with ntpd running); 2) simple ntp clock synchronization (with ntpd running); 3) ntp clock synchronization (at boot time or as a cron event) (without ntpd running).
Subsection 3) should explain how to configure ntp.conf (and maybe /etc/rc.local ? I'm still studying on this) just to be able to have this command
ntpd -qg
automatically executed at boot time: maybe appending it to /etc/rc.local (but I'm afraid it's slightly more complicated than that, I'm still studying on it); it could also be reminded that it's possible to run that command at predefined time intervals by creating a cron event.
Is somebody with more knowledge than me interested in helping?
(Excuse my approximate English...)Ok, I finally managed to find the time to revise the ntp.conf section, this is my first attempt to it:
===/etc/ntp.conf===
The first thing you define in your ntp.conf is the servers your machine will synchronize to.
NTP servers are classified in a hierarchical system with many levels called "strata": the devices which are considered independent time sources are classified as "stratum 0" sources; the servers directly connected to stratum 0 devices are classified as "stratum 1" sources; servers connected to stratum 1 sources are then classified as "stratum 2" sources and so on. It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability.
Tipically, stratum 2 servers are used for general synchronization purposes: if you don't already know the servers you're going to connect to, you should use the pool.ntp.org servers (http://www.pool.ntp.org/ or http://support.ntp.org/bin/view/Servers/NTPPoolServers) and choose the server pool that is closest to your location.
The following lines are just an example:
server 0.it.pool.ntp.org iburst
server 1.it.pool.ntp.org iburst
server 2.it.pool.ntp.org iburst
server 3.it.pool.ntp.org iburst
The iburst option is recommended, and sends a burst of packets if it cannot obtain a connection with the first attempt. The "burst" option should never be used without explicit permission and will likely result in blacklisting.
If you're setting up a ntp server, you need to add localhost as a server, so that, in case it loses internet access, it won't stop serving time to the network; add localhost as a "stratum 10" server (using the "fudge" command) so that it will never be used unless internet access is lost:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
The next thing you have to do is add the drift file (which keeps track of yours clocks time deviation) and optionally the log file location:
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
Now all that's left to do is define the rules that will allow clients to connect to your service (localhost is considered a client too) using the "restrict" command; you should already have a line like this in your file:
restrict default nomodify nopeer
This restricts everyone from modifying anything and prevents everyone from querying your time server.
You can also add other options:
restrict default kod nomodify notrap nopeer noquery
In the past, "notrust" option was used too, but its function has changed to mean that authentication with a key is required.
Following this line, you need to tell ntpd what to allow through into your server; the following line is enough if you're not configuring a ntp server:
restrict 127.0.0.1
Otherwise you can add more clients like in this example:
restrict 1.2.3.4 nomodify
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
This tells ntpd that 1.2.3.4 and all IP addresses from the 192.168.0.0 range will be allowed to synchronize on this server, but they will not be allowed to modify anything. All other IP addresses in the world will still obey the default restrictions (the first line in the ntp.conf).
In the end, the complete file will look like this (almost all original comments have been stripped out for clarity):
# Name of the servers ntpd should sync with (these are for Italy as an example)
server 0.it.pool.ntp.org iburst
server 1.it.pool.ntp.org iburst
server 2.it.pool.ntp.org iburst
server 3.it.pool.ntp.org iburst
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
restrict default nomodify nopeer
restrict 127.0.0.1
For a more in-depth explanation of the file, especially if you want to configure your machine as a ntp server, the Gentoo Wiki has a more detailed description.
Lastly, never forget man pages:
$ man ntp.conf
is likely to answer most of your remaining doubts.
Last edited by kynikos (2011-02-06 23:15:03) -
Installation of Network Time Protocol Security Fix
Hi....
Per App Store, I installed the fix with no issues clicking "install now." But, Mom's Mac did the automatic install. She saw the message window saying a security update was installed. But, in the Application Store Upgrade section, this security upgrade is not listed. Previous software updates are listed. For "fun of it" I downloaded the pkg with the update and "re-installed" it on my Mac, It installed.
Questions:
1. Did I mess up my Mac by doing the install twice?
2. If not, can I do the same on Mom's Mac to be sure the update is installed?
3. Why wouldn't the automatic install (on Mom's machine) not show up on the list of updates? Is this the usual state for automatic updates?
4. What could I look at to see if the update was installed besides the lupdate list where it doesn't show up.
Thanks!John, many thanks! Took me a bit to find the install.log, but yes, the entry was there. For my "self install" on the package, log said, "Installed "NTPUpdateYosemite-2"
BTW: I checked the fingerprint of the package I downloaded, and it did not match the fingerprint in this Apple article at How to verify the authenticity of manually downloaded Apple Software Updates - Apple Support But, the fingerprint of the package I downloaded did match the fingerprint of the package for the "Digital Camera RAW Compatibility 6.02" package that came out Dec 15th. So, I think that the package I used was legit. Make sense?
ALSO...I did find this info on Apple website posted today. About OS X NTP Security Update - Apple Support It has terminal command for seeing if your NTP is updated. [Just saw you edited your reply to include this]
And, finally....Thanks so much for helping a relative newbie to software "stuff" -
Cant acess itunes store or home sharing on apple tv 2, keeps telling me that network time needs to be set. When I go to time zone section on apple tv - I chose a city...but still no luck. Apparently, can't do anything without the time being set. How do I set this up?
Yes, I did (turning off and then on again is a way of life for any windows user!). Actually, through a process of trial and error I have fixed the problem although I'm not very comfortable with the fix. For some reason, the OS X firewall is to blame. By relaxing the firewall settings to their most lenient, the iTunes store is now fully accessible via iTunes, and so is the whole of the apple website. Another added side effect has been that general web browsing is now lightning fast.
I'm therefore left with the (temporary) conclusion that my iMac's internal firewall is only capable of blocking access to the web resources of the people who created it, and slowing my web browser to a crawl. -
i have turned firewall off but my iphone will still not update. it still says 'network time out' i am using a dell laptop and i want to update my iphone4 to iOS 5.
Things in this thread might be helpful too.
https://discussions.apple.com/thread/3382814?start=0&tstart=0 -
Apple TV is asking me to set network time. how to do this?
Apple TV is asking to set network time. How is this done?
Assuming this is not the first time you have used your Apple TV
You might try restarting the Apple TV by removing ALL the cables for 30 seconds.
Also try restarting the router.
If the problem persists, try a restore, you may want to try the previous procedures several times before doing this.
If this is a new Apple TV, it may also be that your network router is not allowing access to the timeserver, check that your router allows access over port 123. -
Apple TV. setting network time
MMy school's wifi network demands that I log in before using, and Apple TV tries to set network time before I log in. How can I set network time after I log in to the network. I don't seem to see a menu item for this.
Apple TV cannot set the network time + date
-
Apple TV 2 is asking for network time before I can purchase a movie? Even restarted it and still did the same thing.
How do you fix this? My wifi is operating 100% connected and I can access the Itunes Movies etc. How do I get it to work again?Welcome to the Apple Community.
If you've had it working previously, try restarting the Apple TV by removing ALL the cables for a 30 seconds, or a restore if the problem persists. -
my apple tv show "apple TV can't sign in to the itunes store until the network time has benn set."... what is the network time ? how i resolve this?
Ronaldo, I'm also in Brazil... It seems to be a problem with us... I've been searching the internet and many people have the same problem.
I also have a thread open here... If you find a solution, please answer it here so that we can share. -
HT5439 Has anyone had the Network time and date error with Apple TV when traveling?
Has anyone had the Network time and date error with Apple TV when traveling?
Jasion,
Maybe a bit beside the question, but it is always recommended here to open/save from/to own hard disk, and to copy from/to networks and removable media. You may be lucky, at least for a while, but it is better to be safe than sorry.
In addition to the (far greater) risk of file corruption, some issues are mentioned here:
http://helpx.adobe.com/illustrator/kb/illustrator-support-networks-removable-media.html
Maybe you are looking for
-
MR90 and tax reporting or perhaps it's MRRL and the settlement process.
I've noticed that in the SAP standard output type ERS that sometimes the tax is calculated on - the total net value and other times the calculation is done on - the total net value - discount amount I realize this data is just p
-
I have an I Pod Nano and would get messages to update my software. In my I Tunes I have 1,900 songs but after the updates it will only sync 933 songs. My current software version is 1.0.2. What am I doing wrong or is it something in the software.
-
Unusual problem while sending a message to many pe...
hi recently i found a strange problem in my phone.Whenever i send a message through groups or if i select and send it to like 10 ppl ,suddenly a error message pops up saying messaging already in use.It happens till the message is sent for each and ev
-
I am having issue with Applet on a .jspx page when using IE8 browser. I am running on: JDEVADF_11.1.1.7.0_GENERIC_121026.1729.6438 This blocking our progress at the moment, so any help please. I created a simple ADF Web Application with a single page
-
How to crop and use in new picture
I am trying to crop something from a picture and use that crop into a new picture. how do i achieve this? much appreciated!