Firewall configuration UDP in or out?

Do I understand it right, that on my client servers which I want time synchronized with firewall needs to allow only incoming traffic on target UDP port 123?
For our network team - is there any security concern to allow this incoming UDP traffic on port 123 from any host? In my opinion there is not, because the only thing listening to this is NTP clients (windows time service for example) and it is actively asking for the data from configured NTP server so it would not be able to receive data from some other server right?

Oh but after reading this I am not sure if incoming UDP port 123 is enough!

but seems like Microsoft windows time service needs just this UDP 123 according to the very bottom of this page

Which are we talking about, the clients or the servers?

For a server behind a firewall that you want clients to be able to access, you would need to open (destination) UDP/123 inbound, and if outbound traffic by default is blocked then you would need to let (source) UDP/123 outbound to reply back to the requests.

As for security, it’s no different than any other service… Make sure it is configured properly, and keep it updated.

Hello, I think it is quite clear what I meant when I wrote client servers which I which I want time synchronized with NTP org
that means from the time sync point of view they are clients, but of course these machines are servers meaning they run server operating system, so I call them servers.

I asked if it is fine or there might be some risk allowing incoming UDP traffic from any host so could you comment on that? Normally the firewall rules are set to allow traffic from certain IP addresses.

For your NTP client(s) you have to enable only outgoing UDP packets to port 123 to any IP addresses. I assume your firewall has statefull connection tracking, so no explicit inbound traffic rule is required. The firewall will open peephole for the return traffic on the fly.

1 Like