Tunnelling NTP Through a Firewall?

← Back to Stories (view on slashdot.org)

Tunnelling NTP Through a Firewall?

Posted by Cliff on Thursday December 12, 2002 @09:42PM from the at-the-tone-the-time-will-be dept.

Franklin_DeMatto asks: "My ISP keeps my server behind a tight firewall, only allowing outgoing HTTP(S) and SMTP. I would like to sync the system's clock using NTP. Does anyone know of any public time servers that can do some type of NTP over HTTP, to get through the firewall? What about the software (preferably open source) to do it? (No, the ISP will not change the firewall rules.)"

4 of 76 comments (clear)

Min score:

Reason:

Sort:

Try the routers... by h3 · 2002-12-12 22:09 · Score: 5, Informative

I forget where I learned this tip, but it's useful and doesn't seem widely known: many routers provide NTP service. So you can do a traceroute from your server out to anywhere (say google.com) and get a list of upstream routers. Don't forget to try the "-I" option (or whatever the equiv is in your version of traceroute) to use ICMP instead of the default UDP datagrams if your firewall is blocking those.

If/once you have a list of routers, try time syncing against them. It's worth a shot.

-h3
TCP Over TCP Is A Bad Idea (Re:SSH?) by alfaiomega · 2002-12-12 23:11 · Score: 5, Informative

If you have a shell account, they probably allow ssh through the firewall and so you can tunnel the NTP ports over SSH.

Read Why TCP Over TCP Is A Bad Idea by Olaf Titz:

A frequently occurring idea for IP tunneling applications is to run a protocol like PPP, which encapsulates IP packets in a format suited for a stream transport (like a modem line), over a TCP-based connection. This would be an easy solution for encrypting tunnels by running PPP over SSH, for which several recommendations already exist (one in the Linux HOWTO base, one on my own website, and surely several others). It would also be an easy way to compress arbitrary IP traffic, while datagram based compression has hard to overcome efficiency limits.

Unfortunately, it doesn't work well. Long delays and frequent connection aborts are to be expected. Here is why.

Very interesting read.

--
root@aio:~# nmap -sX -iR -p1- # Ho, ho, ho! Merry Xmas, everyone!
Re:This is not a solution by Christopher+Doopov · 2002-12-12 23:28 · Score: 4, Informative

even paranoids i know allow any and all traffic out of any given subnet, but they heavily firewall incoming traffic.

Firewalling outgoing traffic can be useful in case some of the hosts on your network were compromised (e.g. by an email worm, which can go through even in the case every incoming connections are blocked) and you want to lessen the harm which can be done using this host. For example The HoneyNet Project uses a limit of 5 outgoing connections from every compromised host, because they don't want their hosts attacking the outside world. Of course, in the case of HoneyNet it is easy, because every outgoing connection is made by a successful intruder, however my point is that outgoing traffic can do some harm and this may be a reason people block some of it.

anyway, change your isp or get a job there so you can fix it. in any event, complain your ass off.

Here I absolutely agree.

--
~Christopher Doopov
Use theirs, get your own, or go elsewhere. by ripler · 2002-12-13 02:13 · Score: 4, Informative

Usually, an ISP will run NTP on their routers. Check the gateway they provide, and see if it runs NTP. As an alternative, they may run something like timed on one of their servers.
You could also purchase a GPS clock like one on this list.
The last option is to find another ISP who will offer time services, or one that will let you find them where you want.