Tunnelling NTP Through a Firewall?

Franklin_DeMatto asks: "My ISP keeps my server behind a tight firewall, only allowing outgoing HTTP(S) and SMTP. I would like to sync the system's clock using NTP. Does anyone know of any public time servers that can do some type of NTP over HTTP, to get through the firewall? What about the software (preferably open source) to do it? (No, the ISP will not change the firewall rules.)"

Try the routers...

[h3]

I forget where I learned this tip, but it's useful and doesn't seem widely known: many routers provide NTP service. So you can do a traceroute from your server out to anywhere (say google.com) and get a list of upstream routers. Don't forget to try the "-I" option (or whatever the equiv is in your version of traceroute) to use ICMP instead of the default UDP datagrams if your firewall is blocking those.

If/once you have a list of routers, try time syncing against them. It's worth a shot.

-h3

TCP Over TCP Is A Bad Idea (Re:SSH?)

[alfaiomega]

If you have a shell account, they probably allow ssh through the firewall and so you can tunnel the NTP ports over SSH.

Read Why TCP Over TCP Is A Bad Idea by Olaf Titz:

A frequently occurring idea for IP tunneling applications is to run a protocol like PPP, which encapsulates IP packets in a format suited for a stream transport (like a modem line), over a TCP-based connection. This would be an easy solution for encrypting tunnels by running PPP over SSH, for which several recommendations already exist (one in the Linux HOWTO base, one on my own website, and surely several others). It would also be an easy way to compress arbitrary IP traffic, while datagram based compression has hard to overcome efficiency limits.

Unfortunately, it doesn't work well. Long delays and frequent connection aborts are to be expected. Here is why.

Very interesting read.

Re:This is not a solution

[Christopher+Doopov]

even paranoids i know allow any and all traffic out of any given subnet, but they heavily firewall incoming traffic.

Firewalling outgoing traffic can be useful in case some of the hosts on your network were compromised (e.g. by an email worm, which can go through even in the case every incoming connections are blocked) and you want to lessen the harm which can be done using this host. For example The HoneyNet Project uses a limit of 5 outgoing connections from every compromised host, because they don't want their hosts attacking the outside world. Of course, in the case of HoneyNet it is easy, because every outgoing connection is made by a successful intruder, however my point is that outgoing traffic can do some harm and this may be a reason people block some of it.

anyway, change your isp or get a job there so you can fix it. in any event, complain your ass off.

Here I absolutely agree.

Supposing your host was not a butthead...

[floydigus]

You can plug a GPS handset into the serial port and get the time off that.

cron job & http

[gabe]

so, assuming for some reason you can't just find an isp that doesn't suck, why not just write a script that will pull / parse the time from some website and setup a cron job to run it?

As an ISP Admin

[DSL-Admin]

As an ISP Asst Admin, I would have to agree with the others. There is no legitimate reason they should block the NTP port from you. I understand why they are so strict though, it's probably to help keep the P2P down from within their network. Move to another ISP, or you can do this. Get a buddy with a *nix machine on the outside to setup an SSH server on port 80, then run the ssh client to connect to the server on port 80 or 25 or 110. Then have your NTP loopback to itself and SSH will forward it to the other machine, and have him run NTPserv, then you can do it..... ---but, it would just be easier to move to a different ISP.

Use theirs, get your own, or go elsewhere.

[ripler]

Usually, an ISP will run NTP on their routers. Check the gateway they provide, and see if it runs NTP. As an alternative, they may run something like timed on one of their servers.

You could also purchase a GPS clock like one on this list.

The last option is to find another ISP who will offer time services, or one that will let you find them where you want.

Re:A little scripting...

[iamcadaver]

#!/bin/bash
# Get UTC (GMT) time from NIST
wget -O- http://www.time.gov/timezone.cgi?UTC 2>&1 |
sed -n -e 's/.*size="[75]".*>\(.*\)<br>$/\1/p'

Re:This is not a solution

[Meleschi]

Obviously he is co-locating his equipment in the ISP's RDC. Usually, the ISP has different tiers of access for Co Located equipment. If you're co-locating and paying for a web server, they're more than likely ensure that you can't run IRC, ftp, nfs, or any other types of service, when all you're paying for is http/https.

Now, there are a few solutions to this problem:

1. Tunnel ntp through ssh (not recommended on a regular basis)

2. Use the routers as NTP servers (please ask the isp in question before using their routers as NTP servers)

3. Check or ask the isp to broadcast NTP updates on the subnet in question. That's relatively easy to do, and would be a recommended solution. I believe it does require multicast turned on though, but don't quote me on that! You'd then set up your ntp client to accept broadcasted updated, and wala, your clients have pretty darn accurate time, without the isp having to open up firewalls, or use their routers as NTP servers.

Hope this helps,
Ricardo

Re:Dial-up is fine

[yerricde]

but web browsing on a 56k modem is *fine*.

Downloading 10 MB of binaries from Mozilla.org, Windows Update, or apt-get upgrade is not fun on 56K in geographical areas where local calls to your ISP are toll calls at 10c/min.

You *do* need to have multiple windows loading while you're browsing instead of click-wait-load but I do that anyway...

You're right about tab browsing.