Slashdot Mirror
Tunnelling NTP Through a Firewall?
Franklin_DeMatto asks: "My ISP keeps my server behind a tight firewall, only allowing outgoing HTTP(S) and SMTP. I would like to sync the system's clock using NTP. Does anyone know of any public time servers that can do some type of NTP over HTTP, to get through the firewall? What about the software (preferably open source) to do it? (No, the ISP will not change the firewall rules.)"
How about finding another ISP (and telling them WHY you are changing to someone else too).
D.
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
Do you have a shell account on the box? I assume so otherwise you wouldn't be able to install NTP even without a firewall. If you have a shell account, they probably allow ssh through the firewall and so you can tunnel the NTP ports over SSH. This assumes you have another machine outside the firewall that has access to NTP and an 'always-on' connection.
Rich
I am sorry, but the only reasonable advice I can give you is to change your ISP if they do not open more ports. You have only outgoing HTTP and SMTP? What about SSH? What about FTP? What about Telnet? What about IRC? Are you also going to tunnel them through HTTP? HTTP is a stateless and sessionless protocol. It is extremely bad idea to tunnel anything which uses long and interactive two-way TCP traffic (like IRC, SSH, FTP, Telnet, ...) using HTTP.
Not only it is technically bad idea,
you also compromise the firewall security if you use covert channels to hide all the forbidden traffic. The firewall rules to not allow
insecure (in the opinion of firewall management team) protocols traffic are ruined when their
users want to consciously
compromise the security.
We all know that using SSH or NTP is not insecure in itself, but when everyone tunnels everything bastardizing HTTP protocol, no one will ever notice when some day there is Back Orifice traffic hidden there between NTP, SSH, Telnet, FTP, IRC, et cetera.
So my advice is: talk to your ISP.
Tell them why you need NTP for security reasons (to have your logs useful).
Tell them what do you want them to change.
It is you,
who are paying them,
for the love of God, not the other way around.
Nothing will ever change unless people start
saying what do they want to be changed.
~Christopher Doopov
Fortunately, the poster isn't limited to ISPs in his local area. The Internet is globally accessible, so he should be able to find another host that meets his needs somewhere. For example, I live in the Midwest, and my host is located on the West Coast.
Besides, the issue really is that this guy pays money for an ISP to host his webserver... NTP is a completely legitimate service to run, but the "service" provider won't open the necessary firewall rules in order to permit the traffic. It should be up to them to comply with his requests, not find arbitrary ways to limit how he can use the service.
If Happy Fun Ball begins to smoke, get away immediately. Seek shelter and cover head.
That is, what about their own internal servers? What about the rest of the servers they host? Do they not have ANY of them that are syncing up to an NTP source somewhere?
/can't switch ISPs, this alternative may be (somewhat) practical -- it depends on how much you trust your ISP to have their NTP server set up properly...
Try asking the ISP if they have an internal NTP server you could sync against, one that itself is properly synced to a reliable source. If you don't want to