Professional Web Applications Themes

NTP not getting thru firewall - SCO

Am running SCO 5.0.2 with all relevant patches applied. I have a separate gateway router & firewall on the lan with port 123 allowed in/out for both tcp and udp. Am trying to update the time with : ntpdate 131.107.1.10 With the firewall up I get the message: # ntpdate 131.107.1.10 ntpdate: no server suitable for synchronization found If I use the -d option it appears to work fine as under, albeit the time does not get updated. # ntpdate -d 131.107.1.10 ntpdate: ntpdate version=3.2; Tue Sep 7 16:54:10 CDT 1993 (1) transmit(131.107.1.10) receive(131.107.1.10) etc, etc.... ntpdate: adjust time server ...

  1. #1

    Default NTP not getting thru firewall

    Am running SCO 5.0.2 with all relevant patches applied.
    I have a separate gateway router & firewall on the lan with port 123 allowed
    in/out for both tcp and udp.

    Am trying to update the time with : ntpdate 131.107.1.10

    With the firewall up I get the message:
    # ntpdate 131.107.1.10
    ntpdate: no server suitable for synchronization found

    If I use the -d option it appears to work fine as under, albeit the time
    does not get updated.
    # ntpdate -d 131.107.1.10
    ntpdate: ntpdate version=3.2; Tue Sep 7 16:54:10 CDT 1993 (1)
    transmit(131.107.1.10)
    receive(131.107.1.10)
    etc, etc....
    ntpdate: adjust time server 131.107.1.10 offset 0.0505108


    When I take the firewall down and try this:

    # ntpdate 131.107.1.10
    ntpdate: adjust time server 131.107.1.10 offset 0.0505108
    All works OK. Thus the firewall is causing the problem.

    1. Is there some other port I should be allowing thru the firewall???
    2. Does anyone know why the -d option 'seems' to work ok?

    Would greatly appreciate any thoughts or suggestions on these.

    Kind regards,

    John Clarke


    John Clarke Guest

  2. #2

    Default Re: NTP not getting thru firewall

    John Clarke typed (on Mon, Jun 30, 2003 at 05:23:18PM +0930):
    | Am running SCO 5.0.2 with all relevant patches applied.
    | I have a separate gateway router & firewall on the lan with port 123 allowed
    | in/out for both tcp and udp.
    |
    | Am trying to update the time with : ntpdate 131.107.1.10
    |
    | With the firewall up I get the message:
    | # ntpdate 131.107.1.10
    | ntpdate: no server suitable for synchronization found
    |
    | If I use the -d option it appears to work fine as under, albeit the time
    | does not get updated.
    | # ntpdate -d 131.107.1.10
    | ntpdate: ntpdate version=3.2; Tue Sep 7 16:54:10 CDT 1993 (1)
    | transmit(131.107.1.10)
    | receive(131.107.1.10)
    | etc, etc....
    | ntpdate: adjust time server 131.107.1.10 offset 0.0505108
    |
    |
    | When I take the firewall down and try this:
    |
    | # ntpdate 131.107.1.10
    | ntpdate: adjust time server 131.107.1.10 offset 0.0505108
    | All works OK. Thus the firewall is causing the problem.
    |
    | 1. Is there some other port I should be allowing thru the firewall???
    | 2. Does anyone know why the -d option 'seems' to work ok?
    |
    | Would greatly appreciate any thoughts or suggestions on these.

    Have you tried the -u option?

    --
    JP
    Jean-Pierre Radley Guest

  3. #3

    Default Re: NTP not getting thru firewall


    "Jean-Pierre Radley" <jprjpr.com> wrote in message
    news:20030630140256.GA2585jpradley.jpr.com...
    > John Clarke typed (on Mon, Jun 30, 2003 at 05:23:18PM +0930):
    > | Am running SCO 5.0.2 with all relevant patches applied.
    > | I have a separate gateway router & firewall on the lan with port 123
    allowed
    > | in/out for both tcp and udp.
    > |
    > | Am trying to update the time with : ntpdate 131.107.1.10
    > |
    > | With the firewall up I get the message:
    > | # ntpdate 131.107.1.10
    > | ntpdate: no server suitable for synchronization found
    > |
    > | If I use the -d option it appears to work fine as under, albeit the time
    > | does not get updated.
    > | # ntpdate -d 131.107.1.10
    > | ntpdate: ntpdate version=3.2; Tue Sep 7 16:54:10 CDT 1993 (1)
    > | transmit(131.107.1.10)
    > | receive(131.107.1.10)
    > | etc, etc....
    > | ntpdate: adjust time server 131.107.1.10 offset 0.0505108
    > |
    > |
    > | When I take the firewall down and try this:
    > |
    > | # ntpdate 131.107.1.10
    > | ntpdate: adjust time server 131.107.1.10 offset 0.0505108
    > | All works OK. Thus the firewall is causing the problem.
    > |
    > | 1. Is there some other port I should be allowing thru the firewall???
    > | 2. Does anyone know why the -d option 'seems' to work ok?
    > |
    > | Would greatly appreciate any thoughts or suggestions on these.
    >
    > Have you tried the -u option?
    >
    > --
    > JP
    JP,

    Thanks for the suggestion but there is nothing in 'man ntpdate' about -u.

    Also,

    # ntpdate -u 131.107.1.10
    ntpdate: unknown option -u
    usage: ntpdate [-bdqsv] [-a key#] [-e authdel] [-k file] [-o version] [-p
    sample
    s] [-t timeout] server ...

    John


    John Clarke Guest

  4. #4

    Default Re: NTP not getting thru firewall

    John Clarke typed (on Tue, Jul 01, 2003 at 09:10:56AM +0930):
    |
    | "Jean-Pierre Radley" <jprjpr.com> wrote in message
    | news:20030630140256.GA2585jpradley.jpr.com...
    | > John Clarke typed (on Mon, Jun 30, 2003 at 05:23:18PM +0930):
    | > | Am running SCO 5.0.2 with all relevant patches applied.
    | > | Would greatly appreciate any thoughts or suggestions on these.
    | >
    | > Have you tried the -u option?
    |
    | Thanks for the suggestion but there is nothing in 'man ntpdate' about -u.

    Sorry, I don't have a 5.0.2 machine accessible anywhere.
    I was reading a 5.0.7 man page...

    --
    JP
    Jean-Pierre Radley Guest

  5. #5

    Default Re: NTP not getting thru firewall


    If your firewall is also doing network address translation, it's most
    likely changing the source port from 123 to another UDP port. Normally
    NTP requests are from port 123 to port 123, so when the source port is
    different the request is often blocked by the remote site's firewall or
    ignored by the NTP server. Depending on the firewall you're using, you
    may be able to statically map UDP port 123 to your private internal IP
    address, that should keep your NATed source port as UDP 123.



    Now that port mapping can leave your internal host open to the Internet
    on UDP 123 so make sure to set up a reflexive access-list or stateful
    packet inspection to only allow inbound connections from hosts directly
    after connecting outbound to them. Hope that helps!



    Chris Bethel

    Senior Network Engineer


    --
    Posted via http://dbforums.com
    bimmer95 Guest

Similar Threads

  1. firewall in the way
    By treismom in forum Macromedia Contribute Connection Administrtion
    Replies: 1
    Last Post: October 6th, 09:45 AM
  2. DMZ, Firewall and COM+
    By Steve S in forum ASP.NET Security
    Replies: 0
    Last Post: August 18th, 09:42 PM
  3. XP firewall using AOL
    By Neil Bray in forum Windows Setup, Administration & Security
    Replies: 0
    Last Post: July 18th, 09:11 PM
  4. MX with XP Firewall
    By Kev Middleman in forum Macromedia Dreamweaver
    Replies: 2
    Last Post: July 12th, 11:54 AM
  5. XP Firewall
    By GT in forum Windows XP/2000/ME
    Replies: 0
    Last Post: July 12th, 05:56 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139