2008/05/16

Help! My ISP blocked privilleged ports, I can't sync to ntp time servers...

I've been having problems syncing my local linux server time to a public internet server in ntp.org.

After doing tcpdump on my internet connected interface on my firewall, I found out that my isp, fast.net.id, blocked any reply to privilleged ports, 1-1024. Since ntpd uses udp port 123 as source and destination port, replies from ntp.org public servers got cut off from my isp's router.

What's interesting is ntpd on Mac OS X uses unprivilleged ports. Another utility in linux, ntpdate has an optional argument, -u, which make the request source port uses unprivilleged port. It puzzles me why ntpd doesn't have that option as well. Nevertheless, I have this problem in my hand.

I kinda figured out a workaround (short of calling my isp and ask them not to block udp port 123). I have to put a little disclaimer here, this workaround that is by no means recommended (from what I can gather) so use it at your own risk.

What I did was setup a cron job to run ntpdate every 15 minutes to sync system time with ntp.org public servers using unprivilleged port.

15 * * * * /usr/sbin/ntpdate -s -u -B pool.ntp.org

-s option tells ntpdate to print output to syslog; -u tells it to use unprivilleged port; -B tell it to adjust the time incrementally as oppose to instantly.

Then I setup ntpd as a local ntp server for internal use. This ntpd uses it's localtime as the source instead of syncing from another ntp.org public server.

1 comment:

a.wirayudha said...

I had the same problem, ntpdate -u solve it for me! Now I just have to figure out how to make this work for Vista. Thanks.