Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is limiting LAN access to NTP Pool even possible?

    Scheduled Pinned Locked Moved Firewalling
    12 Posts 7 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Javik
      last edited by

      Is there a practical way to restrict LAN devices to only access time servers on the WAN that are in the Network Time Protocol server pool?  (pool.ntp.org)

      I recognize that pool.ntp.org hands out random addresses from a list of hundreds of servers, and the list keeps changing, so trying to make a LAN to WAN firewall exception list that spans all of them, and stays up to date, is either impossible or very high maintenance.

      But, if I merely enable    "Any LAN port/address to  port 123 / any-address"

      … I might as well just turn off the organizational firewall that tries to force everyone to access the web through a proxy filter.

      With such a permissive rule in place, anyone could set up a port 123 remote desktop or proxy bypass, or Tor onion router, or whatever...

      I suppose one way to handle this is to only enable unrestricted NTP pool access for pfSense itself, and then only permit the LAN devices to get NTP sync updates from pfSense.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Might as well turn off your firewall?  Little bit of an exaggeration ;)

        Just so you know - you prob have users bouncing off your proxy to their home openvpn server to bypass your restrictions ;)

        But yeah I would say that providing your own time service would be a good idea!  What kind of org is it that would not have their own times services.  If your running AD its pretty much a requirement that your DCs are going to provide time sync to members.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          Javik
          last edited by

          Public schools are required to filter, for CIPA compliance, to get e-Rate federal funding, acting in loco parentis.

          I really don't have much control over this requirement, but I have try to comply as much as possible.

          I can really only leave it to the filtering provider to deal with people VPN'ing through them.

          But yes, I see what you mean. So really, just need to allow open NTP access from the domain controllers and servers.

          1 Reply Last reply Reply Quote 0
          • J
            Javik
            last edited by

            Something is trying really hard to get the time from Apple.

            NetRange 17.0.0.0 - 17.255.255.255
            CIDR 17.0.0.0/8
            Name APPLE-WWNET
            Organization Apple Inc. (APPLEC-1-Z)

            block
            Mar 23 06:13:03 LAN 10.0.8.69:65498 17.171.4.15:123 UDP
            block
            Mar 23 06:13:08 LAN 10.0.8.69:65498 17.171.4.33:123 UDP
            block
            Mar 23 06:13:13 LAN 10.0.8.69:65498 17.171.4.34:123 UDP
            block
            Mar 23 06:13:18 LAN 10.0.8.69:65498 17.171.4.35:123 UDP
            block
            Mar 23 06:13:23 LAN 10.0.8.69:65498 17.171.4.36:123 UDP
            block
            Mar 23 06:13:28 LAN 10.0.8.69:65498 17.171.4.37:123 UDP
            block
            Mar 23 06:13:33 LAN 10.0.8.69:65498 17.151.16.12:123 UDP
            block
            Mar 23 06:13:38 LAN 10.0.8.69:65498 17.151.16.14:123 UDP
            block
            Mar 23 06:13:43 LAN 10.0.8.69:65498 17.151.16.20:123 UDP
            block
            Mar 23 06:13:48 LAN 10.0.8.69:65498 17.151.16.21:123 UDP
            block
            Mar 23 06:13:53 LAN 10.0.8.69:65498 17.151.16.22:123 UDP
            block
            Mar 23 06:13:58 LAN 10.0.8.69:65498 17.151.16.23:123 UDP
            block
            Mar 23 06:14:03 LAN 10.0.8.69:65498 17.151.16.38:123 UDP
            block
            Mar 23 06:14:08 LAN 10.0.8.69:65498 17.171.4.13:123 UDP
            block
            Mar 23 06:14:13 LAN 10.0.8.69:65498 17.171.4.14:123 UDP
            block
            Mar 23 06:14:18 LAN 10.0.8.69:65498 17.171.4.33:123 UDP
            block
            Mar 23 06:14:23 LAN 10.0.8.69:65498 17.171.4.34:123 UDP
            block
            Mar 23 06:14:28 LAN 10.0.8.69:65498 17.171.4.35:123 UDP
            block
            Mar 23 06:14:33 LAN 10.0.8.69:65498 17.171.4.36:123 UDP
            block
            Mar 23 06:14:38 LAN 10.0.8.69:65498 17.171.4.37:123 UDP
            block
            Mar 23 06:14:43 LAN 10.0.8.69:65498 17.151.16.12:123 UDP
            block
            Mar 23 06:14:48 LAN 10.0.8.69:65498 17.151.16.14:123 UDP
            block
            Mar 23 06:14:53 LAN 10.0.8.69:65498 17.151.16.20:123 UDP
            block
            Mar 23 06:14:58 LAN 10.0.8.69:65498 17.151.16.21:123 UDP
            block
            Mar 23 06:15:03 LAN 10.0.8.69:65498 17.151.16.22:123 UDP
            block
            Mar 23 06:15:08 LAN 10.0.8.69:65498 17.151.16.23:123 UDP
            block
            Mar 23 06:15:13 LAN 10.0.8.69:65498 17.151.16.38:123 UDP
            block
            Mar 23 06:15:18 LAN 10.0.8.69:65498 17.171.4.13:123 UDP
            block
            Mar 23 06:15:23 LAN 10.0.8.69:65498 17.171.4.14:123 UDP
            block
            Mar 23 06:15:28 LAN 10.0.8.69:65498 17.171.4.15:123 UDP

            STOPPIT. THWAP!

            .

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              yeah
              ;; ANSWER SECTION:
              15.4.171.17.in-addr.arpa. 1832  IN      PTR    time.apple.com.
              15.4.171.17.in-addr.arpa. 1832  IN      PTR    time3-st1.apple.com.

              I would look to see what box that is, and correct it to use your local ntp.  If your org is running AD - there is a whole process for setting authoritative time source in your AD structure - only that source would need to get out to other time sources.  And does not have to be pool, I would check into what they are are using and only allow that.  I would think if org big enough they have an their network a stratum 1 time source to use vs over the internet.  But over the internet lock it down to the few different servers they are setup for.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                The more evil answer is to make time.apple.com resolve to your local NTP server via DNS overrides… :-)

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • T
                  tim.mcmanus
                  last edited by

                  Lots of Apple devices go out to time.apple.com, especially the WAPs and their servers by default.  You can change this in the device / server settings.

                  As others have pointed out, you can set up your own internal NTP server and create a firewall rule that only allows that time server access through port 123 to sync itself with the rest of the planet.

                  I love the DNS resolution idea.  I do the same thing.  It's easier than editing a host file.  You could route pool.ntp.org to  your internal time server so you don't have to go around and edit every device.  So your time server will essentially function as a time proxy server or a time relay server.

                  1 Reply Last reply Reply Quote 0
                  • D
                    dhatz
                    last edited by

                    @tim.mcmanus:

                    You could route pool.ntp.org to  your internal time server so you don't have to go around and edit every device.  So your time server will essentially function as a time proxy server or a time relay server.

                    Actually this would be my first choice (i.e. redirecting all 123/UDP traffic to 127.0.0.1), however I haven't tested it extensively to see if it might create issues …

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Well you can not set dns to point to 127.0.0.1 –- because the client would then ask itself.  Just point it to the lan IP of your ntp (pfsense) server.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • Cry HavokC
                        Cry Havok
                        last edited by

                        You may also be able to use NAT on the LAN interface to redirect all outbound traffic to 123/UDP to your pfSense's LAN interface, with it running an NTP server - much like it's done for a transparent web proxy.

                        That saves messing with DNS ;)

                        1 Reply Last reply Reply Quote 0
                        • D
                          dhatz
                          last edited by

                          @johnpoz:

                          Well you can not set dns to point to 127.0.0.1 –- because the client would then ask itself.  Just point it to the lan IP of your ntp (pfsense) server.

                          I meant what Cry Havok described … I've done this for DNS traffic in the past.

                          1 Reply Last reply Reply Quote 0
                          • B
                            Bebe
                            last edited by

                            @dhatz:

                            Actually this would be my first choice (i.e. redirecting all 123/UDP traffic to 127.0.0.1), however I haven't tested it extensively to see if it might create issues …

                            works pretty good… i found an article at http://www.interspective.net/2012/07/pfsense-ntp-and-network-sneakery.html#more, i've done just like that… i'm using a single server, clock.nyc.he.net

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.