Tunnelling NTP Through a Firewall?

Franklin_DeMatto asks: "My ISP keeps my server behind a tight firewall, only allowing outgoing HTTP(S) and SMTP. I would like to sync the system's clock using NTP. Does anyone know of any public time servers that can do some type of NTP over HTTP, to get through the firewall? What about the software (preferably open source) to do it? (No, the ISP will not change the firewall rules.)"

Try the routers...

[h3]

I forget where I learned this tip, but it's useful and doesn't seem widely known: many routers provide NTP service. So you can do a traceroute from your server out to anywhere (say google.com) and get a list of upstream routers. Don't forget to try the "-I" option (or whatever the equiv is in your version of traceroute) to use ICMP instead of the default UDP datagrams if your firewall is blocking those.

If/once you have a list of routers, try time syncing against them. It's worth a shot.

-h3

This is not a solution

[Christopher+Doopov]

My ISP keeps my server behind a tight firewall, only allowing outgoing HTTP(S) and SMTP. I would like to sync the system's clock using NTP. Does anyone know of any public time servers that can do some type of NTP over HTTP, to get through the firewall?

I am sorry, but the only reasonable advice I can give you is to change your ISP if they do not open more ports. You have only outgoing HTTP and SMTP? What about SSH? What about FTP? What about Telnet? What about IRC? Are you also going to tunnel them through HTTP? HTTP is a stateless and sessionless protocol. It is extremely bad idea to tunnel anything which uses long and interactive two-way TCP traffic (like IRC, SSH, FTP, Telnet, ...) using HTTP. Not only it is technically bad idea, you also compromise the firewall security if you use covert channels to hide all the forbidden traffic. The firewall rules to not allow insecure (in the opinion of firewall management team) protocols traffic are ruined when their users want to consciously compromise the security. We all know that using SSH or NTP is not insecure in itself, but when everyone tunnels everything bastardizing HTTP protocol, no one will ever notice when some day there is Back Orifice traffic hidden there between NTP, SSH, Telnet, FTP, IRC, et cetera. So my advice is: talk to your ISP. Tell them why you need NTP for security reasons (to have your logs useful). Tell them what do you want them to change. It is you, who are paying them, for the love of God, not the other way around. Nothing will ever change unless people start saying what do they want to be changed.

TCP Over TCP Is A Bad Idea (Re:SSH?)

[alfaiomega]

If you have a shell account, they probably allow ssh through the firewall and so you can tunnel the NTP ports over SSH.

Read Why TCP Over TCP Is A Bad Idea by Olaf Titz:

A frequently occurring idea for IP tunneling applications is to run a protocol like PPP, which encapsulates IP packets in a format suited for a stream transport (like a modem line), over a TCP-based connection. This would be an easy solution for encrypting tunnels by running PPP over SSH, for which several recommendations already exist (one in the Linux HOWTO base, one on my own website, and surely several others). It would also be an easy way to compress arbitrary IP traffic, while datagram based compression has hard to overcome efficiency limits.

Unfortunately, it doesn't work well. Long delays and frequent connection aborts are to be expected. Here is why.

Very interesting read.