nptd and firewall

[John DeDourek]

Markku Kolkka wrote:

> Joel Stookey kirjoitti viestissään (lähetysaika perjantai, 28. 
> tammikuuta 2005 07:37):
> 
>>I am running a workstation FC1 installation on a dial-up
>>connection and want to connect ntpd to a server for a time
>>correction.  I think I have it worked out except for how to
>>assure that UDP port 123 will open for it
> 
> 
> This is only needed if you want to use your machine as a NTP 
> server for other machines. You can make NTP queries from your 
> machine to NTP servers without changing anything in the default 
> firewall configuration.
> 
POSSIBLY not true.  Remember that you need to allow packets in
both directions for both the client and server cases.

Technical explanation:
When using the "ipchains" version of
firewall, there is no "stateful filtering" so you need to allow
packets in both directions specifically, either through default
allow policy (often used for outgoing) and possibly individual
rules for the incoming.
When using the "iptables" version of firewall, which is normally
configured with "connection tracking", the statement becomes true.
A client sends a packet, and the connection tracking remembers
the outgoing packet and automatically punches the incoming
reply to the client through the firewall (provided it arrives
"soon enough", which from my experience it normally does.)
UNFORTUNATELY, I don't remember which version of firewall
(ipchains or iptables) is installed by default for fc ONE
(which was specified in the original query) and I have no
way of knowing whether this was changed by the author of the
question.
ALSO, at some point Fedora did introduce a thing that automatically
punched holes in the firewall based on the servers specified
in the ntp configuration.  Note that this is unnecessary
for the iptables firewall, however (see above), which if
I recall correctly, is where it was introduced.