I noticed in the system log that the NTP is failing. I disabled it because 1. NTP has always had issues and 2. its a useless item.
What was the logic behind it in the first place?
What exactly do you mean?
Do you mean the logic of NTP at all or the implementation in IPFire?
Also “what” NTP is failing? NTP Server / Resolver or Client?
Short: The use of NTP is that every client connected to a network should have the exact same time, otherwise there might be problems with authentication, certificates, etc.
Most recent example is 2FA / MFA… when you have a wrong sync or are in the wrong time-zone your MFA might not work.
5 Likes
Wow, i never heard someone saying ntp is useless at all.
I see the problem of authentification, but useless at all? i don’t know.
But maybe this is the call for NTS support?
Greetz
1 Like
But NTS is the useless NTP also, only secured. 
I forget self signed uses time stamp. But it has to get way out of range and the clock on that server doesn’t loose time. But it doesn’t take more than 5 minutes to set the time again on the server if I couldn’t connect to it on the local network. But the time has to get considerably off to throw the error in the first place. I am starting to add network devices besides ipfire that have self signed certs, and I have been thinking of building up a private CA server so I can eliminate self signed certificates on devices. I might add an NTP server if its really needed.
Also, I have set in my firewall rules that the red interface is blocked:
DROP protocol: all , source: red, destination: any
So Ipfire doesn’t have access itself to the internet unless I turn it off so I can update it.
That isn’t the use case IPFire is designed for. IPFire is the gateway for local networks to the WAN. This implies that IPFire has an active connection to the internet. IMO
The OS does until I added the rule. Just because it doesn’t have open ports doesn’t mean it can’t manually open up one itself, unless you add that rule.
Opening connections to the outside is the main purpose of an internet gateway with firewall. The device provides the controlled access for the local devices.
See also www.ipfire.org - What is IPFire?
The only time a router should access the internet independently should be for updates and connecting VPN for remote clients and IPsec for remote networks. Since I’m using it for my house router and have no need for VPN or IPsec I have it blocked and therefore its impossible to use as an attack surface to exploit.
Hmm…
a router is not a firewall… it depends on the use case…
A pure switch or pure router does not necessarily need access to the internet itself, I give you that. But if you use a firewall with some implemented features like DNS, NTP, VPN or even something like PiHole with dynamically updated blocklist, the device would need access to the internet.
You would not need to allow incoming traffic, so no attack surface there, but outgoing is something different…
1 Like
I think its all in concept of how you want to use it. I personally don’t believe in putting a lot of servers on the gateway router. Because it would increase the attack surface for the device and it would be another process in the gateway router to tie up resources. Since you have to open a port for vpn or ipsec, I would have a server inside the network port forward and set up for that task. Other servers like network shares, I wouldn’t put Samba on the ipfire machine either. For something like a pi-hole dns server, I would run it on a Pi4 or better, but not on the ipfire machine that is used for the gateway server.
@dr_techno your recipe makes sense, however not every network admin/designer/consultant can always have the ingredients wanted to make the project/customer dish.
If IPfire is the pivot point of any kind of branch, doing “things” like controlling network access, NTP server is a on-site reliable time source for other devices that have not that kind of service (like APs, Switches) or that might need tuning-source (printers, and so on) for keep the time correct.
Last but not least: NTP traffic is negligeable, however avoining allow internet access for time updates might reduce the heartbeat signaling of “pesky” consumer devices like smartphones.
Nice to have NTP server on IpFire, but like salt “it’s not always needed”
1 Like
For DNS filtering tasks like PiHole, IMO, it is necessary that they are located at the internet gateway, best inside the DNS resolver. For effectivenes all DNS request must go through this single resolver/server.
DNS for a network is always inside the network. For things like the pi-hole, you would configure it so the ipfire’s DNS is an entry and should be the first ones on the list (private DNS), then outside public DNS servers.
But even if I was hosting a public name server for a FQDN (which is normally a cluster server environment) I would be manually routing port 53 for each gateway server + outside ip address.
This discussion is expanding. Therefore I’ll change the topic.
You could build your own NTP stratum 1 server, no need for internet access
I was thinking about adding NTP services to a certificate authority server since the only options of achieving oscp on a non-fqdn is with 48 hr certs that its recommended regenerating the every 24 hrs.
That sounds like you are going in a right direction. NTP stratum 1 would be on separate hardware because you would have a rubidium oscillator card or GPS receiver connected to it,
Is you CA server a separate box from IPFire?
Yes, the CA server is a separate server. I have noticed that there are embedded GPS NTP server boxes on the ebay for $75 i might pick up. But even setting up ntpd on a server to provide the NTP for the network would suffice.
Unless, your compliance requires Stratum 1, NTPd server is all you might need but it should be behind a firewall and connecting to a Stratum 1 or 2 server over the net.
If so, then the built-in NTP service in IPFire is all you might need. Let me know if you need help troubleshooting it.
1 Like