I read somewhere that you should force IPfire time server (NTP) on all devices.
I tried to hardcode NTP settings for Windows and Linux desktops and laptops but other devices don’t have that option.
I captured some of the NTP domain names, like
IPFire menu Services > Time Server
Check Obtain time from network server and Provide time to local network.
NTP servers: 0.ipfire.pool.ntp.org 1.ipfire.pool.ntp.org
On IPFire Network > DHCP Server
Set IPFire Green (and Blue if used) Primary NTP server to be your IPFire Green, Blue addresses.
Or if using a different DHCP server, put in there.
There are some badly behaved devices/services that willfully ignore the provided NTP configuration and will try to use whatever NTP they servers they want! A similar problem exists for DNS servers. I suspect this is some form of limited ‘call home’ capability.
I’ve resorted to configuring a redirect for ANY:123 to 127.0.0.1:123 which forces NTP to IPFire and appears to work for most problematic devices.
Yes and one of the “badly behaved devices” is IPfire itself. The internal client that “looks” at the upstream NTP servers is NOT a proper NTP client but rather a basic SNTP client. Therefore the time that IPfire serves to your downstream devices exhibits a sawtooth result.
Under the DHCP configuration screen, tell your devices to get time from elsewhere.
Thank you IPcop, Philip and Derek.
I guess it’s not that simple as it appears.
I wish I could remember where I saw that recommendation to use IPfire as NTP for internal network as security measure.
You find an idea how it should work for you at: https://forum.ipfire.org/viewtopic.php?f=22&t=22156&start=15
Maybe that helps.
Can you add detail on what you did? Was this done in the IPFire webgui (menu Firewall > Firewall Rules)? Or was this added via iptables and how?
perhaps it was this blog post of mine?
Thanks, and best regards,
this should not be too complicated.
Basically, it involves creating a firewall rule with the source and destination information @philthehill mentioned. To my knowledge, the firewall GUI provides that functionality and no
iptables commands are required.
Thanks, and best regards,
Yes, it was your blog post Peter
Also look at the thread about forcing DNS through the IPFire server.
From what I understand the IPFire WebGUI for Firewall Rules doesn’t work as expected:
As Alexander Marx described in the bugzilla post, the settings in the WUI manipulate iptables chains which are considered too late. There are ACCEPT rules just before.
He suggests to use rules in the PREROUTING chain, which is considered in the community thread about DNS redirecting also. Just look at the solution over there and adapt it for NTP ( port 123 ).