NTP, ntpdate, and ISP-based firewall

[Don Levey]

fedora-list-admin at redhat.com wrote:
> Don Levey wrote:
>> I've been trying to set up an NTP server within my own local
>> network, and have it sync with an outside server.  It appears that
>> my ISP is blocking NTP access; I can get a sync only when I run
>> ntpdate -u.
>>
>> While I could do that manually, or even set it up as a cron job, I'd
>> rather set up ntpd to do this at intervals if possible.  Any
>> suggestions as to how I can configure ntpd to work correctly, and/or
>> pointers to tutorials that might help?
>
> What does your /etc/ntp.conf file look like currently?
> Are you sure ntp packets are going out but not returning?
> ('tcpdump port ntp' or 'tcpdump port 123' might help debug this.)
>
Well, I get *something* by looking in tcpdump, but I need to read up on it
before I can comment intelligently on what I'm seeing.  It does look like my
traffic is going out, and something is coming back, but I don't know what.
I'll copy my conf file below.


> On a side note, what kind of fascist, unfriendly ISP blocks NTP
>   traffic? Correct timekeeping is essential for a properly run network
> (especially if you have shared filesystems or want to be able to merge
> logfiles).


As this is a home network, run off of a cable modem, they will often block
port traffic.  I've got a query in to them now on whether or not they're
blocking 123; I've seen pages brought up by a Google search that say that at
least some ISPs do this.

Thanks again,
 -Don

ntp.conf (some comments excised):
# Prohibit general access to this service.
restrict default ignore
restrict 69.22.157.240 mask 255.255.255.255 nomodify notrap noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1


# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
 restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap



# --- GENERAL CONFIGURATION ---
#
#server 127.127.1.0     # local clock
server 69.22.157.240
server  ntp.ourconcord.net
server  ntp-0.cso.uiuc.edu

fudge   127.127.1.0 stratum 10

#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /etc/ntp/drift
broadcastdelay  0.008

keys            /etc/ntp/keys