Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tunnelling NTP Through a Firewall?

Posted by Cliff on from the at-the-tone-the-time-will-be dept.

Franklin_DeMatto asks: "My ISP keeps my server behind a tight firewall, only allowing outgoing HTTP(S) and SMTP. I would like to sync the system's clock using NTP. Does anyone know of any public time servers that can do some type of NTP over HTTP, to get through the firewall? What about the software (preferably open source) to do it? (No, the ISP will not change the firewall rules.)"

6 of 76 comments (clear)

  1. Tardis does it. by noselasd · · Score: 4, Interesting

    Someone told me a time ago that Tardis can do ntp-over-http.

  2. Clockspeed? by Pathwalker · · Score: 4, Interesting

    If I was stuck, behind a firewall that blocked NTP, I would look into using clockspeed to keep the time accurate without constantly resetting to an external source.

    You would have to get clockspeed 3 or 4 deltas from another clock over the first few months you use it, but you might be able to borrow a laptop, sync it with a good clock, and use it as a local ntp server to obtain these few deltas to calibrate your system. (with a very short time between when the laptop was synced, and when clockspeed gets it's delta from the laptop).

  3. CONNECT by battjt · · Score: 4, Interesting

    depending on their proxy of course, but I've had very good luck escaping corporate fire walls with the HTTP CONNECT method.

    ( echo CONNECT 127.0.0.1:13 HTTP/1.0; echo ) | nc firewall 8000

    will print out the time on firewall. Using a similar method and maybe a couple fifos, you should be able to put anything through that firewall.

    This is the method that I use to layer VNC over SSH over SSL/HTTP through the firewall back to my home office from all my client locations.

    Joe

    --
    Joe Batt Solid Design
  4. NTP over TCP by funky+womble · · Score: 4, Interesting

    None of those are UDP (which is what you really want in order to run NTP), otherwise I'd suggest just running your own ntpd on a non-standard port somewhere. Maybe the ISP can be persuaded to operate their own timeserver behind the firewall (which they may be persuaded to do, since it's much better for security/audit purposes if all machines have accurate clocks), or allow access to one specific host. GPS has already been mentioned, though possibly it would be difficult to get a reliable signal in some server rooms without an external antenna. Other radio-based options are available, for example MSF in the UK, DCF in much of W.Europe, or WWVB in N.America, all of which are a bit more likely to penetrate a server room than GPS. Failing that, you could periodically connect to a webpage you trust to have fairly reliable time (obviously this is a much less accurate method, you probably wouldn't want to use this if you need accuracy better than a couple of seconds). Or assuming the firewall only looks at port numbers and doesn't inspect traffic, you could ssh out on e.g. the https port, and forward onto a normal time server.

  5. Pretty simple solution... by Alethes · · Score: 4, Interesting

    If you can run perl scripts on the server, grab http://nist.time.gov/timezone.cgi?/d/0, where the 0 is the timezone offset (-5 for Eastern US time), then parse the time and date out of that. Once you have those values, use the date and clock functions to set your system time.

  6. Re:cron job & http by i_am_nitrogen · · Score: 2, Interesting

    I used to do this (I'm not the original poster), and the latency introduced by the HTTP connection, transfer, and final parsing made it more accurate to just ssh in and set the time manually. The latency was too inconsistent to simply adjust the time by a predefined or calculated amount. That's what NTP is designed to handle, anyway.

    --
    A solution to the problem with music today