Hey,
just saw that I did not allow NTP in my ipfire.
So I looked after the IP-Adresses of the 0.ipfire.pool.ntp.org and 1.ipfire.pool.ntp.org and allowed them fot 123 UDP.
Protocol for 123 shows a dosen of IPs with 123 and my ipfire which has nothing to do with the IPs oder the NTP servers above, so they are all droped. If I chose some IPs and allow them, they seem never come again. These are always new IPs for 123.
So how can I manage the FW-rule for NTP?
Best regards
fstarter
This is what I did.
Only instead of DNS.
I used NTP .
There is a section on forcing DNS.
I made a rule for the firewall (RED) itself to get to NTP as a service, with the 2 ipfreNTPserver as above, but I see no success in the logs. They are still droped (with another IPs as the ipfire.pool).
So I must force all clients to get to NTP to get it work? But what have clients to do with the NTP of the ipfire itself?
A NTP pool delivers several IP addresses of NTP servers.
The NTP client of IPFire doesn’t ask the pool server for time information, but one of the announced servers. So it is necessary that you allow all NTP traffic on the RED interface for functioning of the NTP server.
hvacguy’s link shows, how to force all local devices to use the NTP server of the IPFire device.
Sorry I miss understood your problem.
If you have a default firewall policy of blocking outgoing traffic.
You would need a firewall rule for that.
Like firewall to red NTP service.
This would allow the firewall to talk to any NTP server. Of course it would only be asking the ones you have setup.
oook, pool makes sense (so there are many server to connect) 
So I made both rules:
and it works! Thanks!