EN FR
Check-NTP / Firewall Configuration Guide

🔥 NTP Firewall Guide

Configure firewall rules to allow NTP traffic (UDP 123)

Quick Navigation

Understanding NTP & Firewalls

NTP Protocol Requirements

NTP uses UDP port 123 for both source and destination ports. Both outbound AND inbound UDP 123 traffic must be allowed.

Why NTP Gets Blocked

IssueCauseImpact
Outbound blocked Firewall blocks UDP 123 to external servers Cannot sync with any NTP server
Inbound blocked Stateful firewall drops response packets Timeout errors, "unreachable" status
NAT issues Source port changes during NAT translation Symmetric NAT breaks NTP
ISP blocking Some ISPs block UDP 123 entirely Must use alternative methods

Security Consideration

NTP amplification attacks are a known DDoS vector. Only open port 123 where necessary. Consider using restrict directives in ntp.conf to limit who can query your NTP service.

Linux: iptables Configuration

Allow Outbound NTP (Client Mode)

# Allow outbound NTP requests root@server:~# iptables -A OUTPUT -p udp --dport 123 -j ACCEPT # Allow inbound NTP responses (stateful) root@server:~# iptables -A INPUT -p udp --sport 123 -j ACCEPT # Or use connection tracking (recommended) root@server:~# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow Inbound NTP (Server Mode)

# If running as NTP server, allow incoming queries root@server:~# iptables -A INPUT -p udp --dport 123 -j ACCEPT root@server:~# iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

Save Rules Permanently

# Debian/Ubuntu root@server:~# iptables-save > /etc/iptables/rules.v4 # RHEL/CentOS (legacy) root@server:~# service iptables save

Linux: firewalld (RHEL/CentOS/Fedora)

Enable NTP Service

# Allow NTP permanently root@server:~# firewall-cmd --permanent --add-service=ntp # Reload firewall root@server:~# firewall-cmd --reload # Verify root@server:~# firewall-cmd --list-services ssh dhcpv6-client ntp

Or Open Port Directly

# Add UDP port 123 root@server:~# firewall-cmd --permanent --add-port=123/udp root@server:~# firewall-cmd --reload

Zone-Specific Configuration

# Add to specific zone root@server:~# firewall-cmd --zone=public --permanent --add-service=ntp root@server:~# firewall-cmd --reload

Linux: ufw (Ubuntu/Debian)

Simple Configuration

# Allow NTP outbound and inbound root@server:~# ufw allow 123/udp # Check status root@server:~# ufw status numbered Status: active To Action From -- ------ ---- [ 1] 123/udp ALLOW IN Anywhere [ 2] 123/udp (v6) ALLOW IN Anywhere (v6)

Allow Only Outbound (More Secure)

# For client-only systems (outbound only) root@server:~# ufw allow out 123/udp

Restrict to Specific Servers

# Only allow NTP to specific server root@server:~# ufw allow out to 195.154.XXX.XXX port 123 proto udp root@server:~# ufw allow in from 195.154.XXX.XXX port 123 proto udp

Windows Firewall

PowerShell Commands

# Allow NTP outbound PS C:\> New-NetFirewallRule -DisplayName "NTP Outbound" -Direction Outbound -Protocol UDP -RemotePort 123 -Action Allow # Allow NTP inbound (for responses) PS C:\> New-NetFirewallRule -DisplayName "NTP Inbound" -Direction Inbound -Protocol UDP -LocalPort 123 -Action Allow

GUI Method

  1. Open Windows Defender Firewall with Advanced Security
  2. Click Inbound Rules → New Rule
  3. Select Port → UDP → Specific local ports: 123
  4. Select Allow the connection
  5. Apply to Domain, Private, Public as needed
  6. Name: "NTP UDP 123"
  7. Repeat for Outbound Rules

Check Windows Time Service

# Verify Windows Time service is using network C:\> w32tm /query /status C:\> w32tm /query /peers

Enterprise Firewalls

Cisco ASA

! Allow NTP from internal to external access-list OUTSIDE_IN extended permit udp any any eq 123 access-list INSIDE_OUT extended permit udp any any eq 123

Palo Alto

# Security Policy Source Zone: trust Destination Zone: untrust Application: ntp Service: application-default Action: Allow

pfSense / OPNsense

  1. Go to Firewall → Rules → LAN
  2. Add rule: Protocol UDP, Destination Port 123
  3. Action: Pass
  4. Description: "Allow NTP"

NAT Considerations

If your firewall performs NAT, ensure it maintains source port 123 or that your NTP client supports symmetric NAT (chronyd does, ntpd may have issues).

Testing NTP Connectivity

Test UDP Port 123

# Using netcat root@server:~# nc -vzu ntp.rdem-systems.com 123 Connection to ntp.rdem-systems.com 123 port [udp/ntp] succeeded! # Using nmap root@server:~# nmap -sU -p 123 ntp.rdem-systems.com PORT STATE SERVICE 123/udp open ntp

Test NTP Protocol

# Using ntpdate (query mode) root@server:~# ntpdate -q ntp.rdem-systems.com server 195.154.XXX.XXX, stratum 1, offset 0.000234, delay 0.02563 14 Jan 11:30:45 ntpdate[12345]: adjust time server 195.154.XXX.XXX offset 0.000234 sec # Using sntp root@server:~# sntp ntp.rdem-systems.com

Diagnose Blocked NTP

# Check for firewall drops in logs root@server:~# dmesg | grep -i "DROP.*123" root@server:~# journalctl -k | grep -i "DROP" # Trace NTP packets root@server:~# tcpdump -i any port 123 -nn

Successful Test Output

If you see responses with stratum levels 1-4 and reasonable offset values, your firewall is correctly configured for NTP.

Test Your Configuration

After configuring your firewall, verify everything works:

Run NTP Diagnostics Daemon Issues

Powered by RDEM Systems Stratum 1 Infrastructure

Check-NTP Home | Daemon Troubleshooting

Professional NTP diagnostics by RDEM Systems SAS