PfSense as a stratum 1 time server



  • I've seen a few threads about hooking a GPS up to the pfSense box and running it as a NTP time server. While one would obviously want the firewall running ntpd to ensure that the logs have the correct time, how many people actually are using the pfSense box as a stratum 1 time server?

    I can see the appeal from a home user perspective of running as much as possible on as few boxes as possible. How secure is running ntpd as a server (to serve time and not just receive it) on the firewall, both with WAN/LAN access and just LAN access?

    I'm debating if I want to make a cutout in the back (or maybe side or front) of my XTM5 for the 2nd serial port and connect a GPS to it, or to install a GPS on one (or both) of my repurposed Barracuda SPAM filters. (One was a web server but is currently down and the other is running squid, though the only thing it is currently caching is SecondLife.)

    I welcome any suggestions/recommendations.

    Also, this is for at my home.


  • Netgate Administrator

    Personally I would not want to have it listen on WAN. Had you been doing so a while back you may well have found yourself part of an NTP amplification attack. http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack.
    Robi can probably answer this much better than almost anyone since he is using pfSense as the base for an NTP appliance as I understand it.

    Steve

    Edit: typo



  • @stephenw10:

    Personally I would not want to have listen on WAN. Had you been doing so a while back you may well have found yourself part of an NTP amplification attack. http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack.
    Robi can probably answer this much better than almost anyone since he is using pfSense as the base for an NTP appliance as I understand it.

    Steve

    While I probably won't enable the listen on the WAN at home, I may do so at work. And if no one enables the listen on the WAN…



  • FreeBSD makes a great stratum 1 ntp server (linux, OTOH, has always played catchup IMHO).  If you have a GPS, and a real serial port on your pfSense box, no reason not to set up ntpd, especially with the new ntpd features coming in 2.2.

    Although I turned off my outside facing ntp service when the amplification attack made the news, it can be enabled safely.

    Of course you can use ntpd & gps on any server in your network (like one of the other servers you mentioned) to keep accurate time on pfSense, .  If you are comfortable reading docs and editing files, it probably doesn't matter where you run ntpd and plug in your gps.  If you prefer a gui interface, take a look at pfSense 2.2, or apply the patches for 2.1 that you have no doubt found in the threads you mentioned.

    If you have trouble, post back!


  • Netgate Administrator

    Just to present a counter-point here. I personally have no worries running NTP at home and I doubt that the traffic to and from it would be significant if I exposed it to the WAN. Given that I'm on a dynamic IP though I doubt many people would choose me as a stratum 1 server.  ;) Conversely I would be less likely to do it on a work box just because the consequences of some yet undiscovered NTPd exploit would be so much worse. If my home firewall goes down for whatever reason I get grief but I'm unlikely to find the locks have changed when I get back. If a firewall I'm managing for a business goes down (or worse gets owned) because I opened NTPd to WAN as a public service that's a different matter. You could see this as simply increasing the attack surface of a the firewall which is never a good thing. If you want to run a public NTP server the firewall should not be your first choice.  ;)

    Steve



  • @stephenw10:

    Conversely I would be less likely to do it on a work box just because the consequences of some yet undiscovered NTPd exploit would be so much worse. If my home firewall goes down for whatever reason I get grief but I'm unlikely to find the locks have changed when I get back. If a firewall I'm managing for a business goes down (or worse gets owned) because I opened NTPd to WAN as a public service that's a different matter. You could see this as simply increasing the attack surface of a the firewall which is never a good thing. If you want to run a public NTP server the firewall should not be your first choice.  ;)

    Or there's always the possibility some company could make a consumer router and hard code your IP address in the firmware and set a ridiculous refresh rate when it can't reach the server and end up having you be flooded by tons of NTP traffic, bringing your network to a grinding halt. (This actually happened to the University of Wisconsin, courtesy of Netgear: http://pages.cs.wisc.edu/~plonka/netgear-sntp/)

    But as mentioned, at work, I would not be running this on the firewall. (We run an ASA at work, though I've mentioned switching to pfSense when the discussion of replacing it has come up. Though I believe the last word on it was simply increasing the memory on it instead, though I don't believe that has happened yet.) My FreeRADIUS (on FreeBSD) server would be the most likely candidate for being a stratum 1 server (currently I believe it's a stratum 3) unless I special built a machine specifically for NTP.


Log in to reply