I'm trying to get some sort of time synchronization configured for a Ubuntu server. The server is behind a cloud-provider-stateless firewall. Through some trial and error I found out that in order for ntp to work, I have to open the incoming UDP port 123.
Then I read that using systemd-timesyncd is preferred nowadays, so I tried switching over to that. But that did not work. The service log was full of
systemd-timesyncd[2656121]: Timed out waiting for reply from 91.189.89.199:123 (ntp.ubuntu.com).
systemd-timesyncd[2656121]: Timed out waiting for reply from 91.189.94.4:123 (ntp.ubuntu.com).
Only after I also whitelisted the ephemeral UDP ports 32768–65535 in the firewall did this start to work:
systemd-timesyncd[2656121]: Initial synchronization to time server 91.189.91.157:123 (ntp.ubuntu.com).
Is opening that range of ports really necessary to operate systemd-timesync?
Edit in response to @Jesus-Loves-You's response below. The higher ports should not be necessary, but in my case, for some reason, they clearly are. See the log of the systemd-timesync service (annotated by me with #):
# Before I enabled the 32786+ ports
May 21 11:49:21 myhost systemd-timesyncd[2656121]: Timed out waiting for reply from 91.189.89.198:123 (ntp.ubuntu.com).
# After I enabled the ports
May 21 11:49:06 myhost systemd-timesyncd[2656121]: Initial synchronization to time server 91.189.91.157:123 (ntp.ubuntu.com).
# After I disabled them again. Note that there are no log entries inbetween for almost
# three days. This, imo, pretty much proves that the ports are required.
May 24 09:29:34 myhost systemd-timesyncd[2656121]: Timed out waiting for reply from 91.189.91.157:123 (ntp.ubuntu.com).
Further information about the port:
root@host:/# netstat -ulpvn | grep systemd
udp 0 0 127.0.0.53:53 0.0.0.0:* 2218041/systemd-res
udp 0 0 0.0.0.0:42212 0.0.0.0:* 2656121/systemd-tim
Looks like 42212 is the port where the service expects the communication to happen. But after a couple of minutes, when the next polling occurs:
root@host:/# netstat -ulpvn | grep systemd
udp 0 0 127.0.0.53:53 0.0.0.0:* 2218041/systemd-res
udp 0 0 0.0.0.0:37240 0.0.0.0:* 2656121/systemd-tim
Now the port changed. And after a couple of minutes it changed again to 51120. So from that I conclude that the service really tries to communicate on random ports each time it attempts the sync.
It really does use ephemeral ports.
Upon some more research I came across these:
https://iec61850.tissue-db.com/tissue/630
https://datatracker.ietf.org/doc/html/rfc4330#section-4
So the answer to this whole thing seems to be that
systemd-timesyncdis implementing theSNTPprotocol, notNTP, and as such uses ephemeral source UDP ports. That is by design. The question now becomes "how to handle ephemeral ports on a stateless firewall" /shrug.All I had to do on Debian 10 "Buster" and Debian 11 "Bullseye" was to open Outbound UDP Port 123
Results in
/var/log/syslog:Debian 10:
Debian 11:
I did have exactly the same question. This worked for me (if You are using iptables):
-A INPUT -p udp -m udp --sport 123 --dport 123 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTAs far as I understood, systemd-timesyncd is something like a client implementation (https://wiki.archlinux.org/title/Systemd-timesyncd) of ntp simply establishing an outgoing request, so there should be no further adjustments to be made in Your case.
And according to https://www.ietf.org/rfc/rfc5905.txt the necessary port is still port number 123 (UDP)
So answering Your question, no, those higher ports, that You mentioned, are NOT necessary. You did everything right
Maybe You were just missing a service restart?
sudo systemctl restart systemd-timesyncd systemctl status systemd-timesyncd.service timedatectl statusPlease notice: if this answer does not really work out in Your case, know that I just had the very same issue. So You are very close to the real answer. Best regards bro