Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ICMP(port 7?) and NTP (port 123)?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 832 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Velcro
      last edited by

      Is there any benefit or reason to allow my clients or networks to communicate on these ports? Should I allow rules for these?

      I have strict rules on my interfaces and VLANs(see attached), however I see other networking folks allowing access to these ports…should I? If so where would these rules go in my order?

      The biggest blocks on my firewall are with port 123 hitting Asia, seem to be with my Apple products (IOS and Apple TV)...

      Everything appears to be working fine...looking for security and privacy(I seem to have the functionality).

      Thanks for any insight or advice...

      V
      IMG_0042.PNG
      IMG_0042.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        ICMP doesn't have a port..  Not sure why your apple devices would be hitting ntp in asia.. They normally do a query for say time-ios.apple.com

        Are you in that part of the world?  What ntp are they doing a query for exactly?  They are not trying to go to a hard coded IP are they?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • V
          Velcro
          last edited by

          I have done some changes to my configuration but now they are hitting Chicago (I am in the US), however I was never using Asia with VPN. The IPs that I checked are:

          Apple TV
          17.253.24.125
          17.253.24.253
          17.253.2.125

          I have separate interfaces for my other Apple clients, but after doing a spot check of my other Apple devices, I am getting blocks to port 123 on:

          iPhone
          171.66.97.126(Stanford University?)
          108.61.73.244 (choopadns/helium.constant.com
          45.79.11.217 (hadb2.smartwebdesign.com / Linode.com

          Is there a reason to allow any of this traffic on port 123?  If I need to give Apple devices this access how would I whitelist them? Destination 17.253.0.0/??

          Thanks for clarification on ICMP, is the only value of ICMP for trouble shooting? or if my devices need to talk to each other?

          Thank you again…

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Its possible a device might use icmp outbound to see if its on the internet, but normally that is done with a dns query and then maybe hitting a page via http.

            For troublshooting I would allow your vlan to always be able to ping your pfsense IP.. This is simple way you can verify your wifi is working or network is up that you can atleast get to the gateway.

            Some of these odd ball devices do all kinds of crazy stuff to set time. Could be using pool.. I have some tp-link smart light bulbs that want to use the uk ntp pool.. Drives me freaking nuts ;)  Since I am not in the UK, nor did I buy a UK version of the light bulb ;)  I just setup a host override for that dns query to point to my local ntp server.

            So you could do it that way via what dns they query for for ntp.  If they are hard coded it can sometimes be an issue trying to redirect local since they think they are talking to X and get answer back from Y, etc.

            I personally do not see an issue with ntp being let out.. Depends on how tight your tinfoil hat is.  I personally would just allow allow udp 123 outbound to any.. But sure you could watch where they are trying to go and just open up those specific blocks.

            What the devices should freaking do is take their ntp server from what you hand out in dhcp.. That is what a nicely designed device would do.. Sure it could have a default one setup - but if dhcp hands it a ntp server, it should use that one.

            Your prob seeing all kinds of odd ball ntp IPs because its using pool.ntp.org..  If they are doing query for a pool ntp server then you can see what what fqdn they are using and just put in a host override to point them to the IP(s) you want them to use for ntp.  When you use the pool those IPs are going to change all the time!!!  So it would be wack a mole trying to allow them, etc.  And sure they could be all over the globe.. But what your suppose to do is set the ntp pool fqdn to query just ntp in your region, ie us.pool.ntp.org or de.pool.ntp.org if you were in Germany, etc..  Or you could use say europe.pool.ntp.org if you were in the EU and didn't care where exactly in the EU you got time from.

            You can find all the different regional fqdn right on the ntp pool page http://www.pool.ntp.org/en/  top right, click into the region your en, then you can zoom into specific country, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.