dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1758

Lou_n_Di
Everyone Needs A Hero
Premium Member
join:2001-01-18
Seymour, CT
Technicolor CGM4140

Lou_n_Di

Premium Member

[Equip] Firewall issue- Cisco DPC3939

Click for full size
Click for full size
There was a topic in another area that was discussing NTP issues....I checked my PC an uncovered an issue with the firewall settings for the Cisco 3939. If I select MAXIMUM SECURITY the windows time sync will not function. I've verified it with a PING to both NIST and NTP pool servers....As soon as I switch back to MEDIUM SECURITY the time sync works....The documentation states that NTP is allowed with the MAXIMUM SECURITY setting--obviously something is bricked....
Is there a work-around for this or do I need to simply change the firewall setting each time I want to sync my PC time...
REF- Performance Tier,Win XPPro SP3 OS
Gateway SW:
eMTA & DOCSIS Software Version: dpc3939-P20-18-v303r204113-140219aCMCST
Software Image Name: dpc3939-P20-18-v303r204113-140219aCMCST.p7b
TIA-
LOU

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 edit

NetFixer

Premium Member

I don't know exactly what the DPC3939 blocks in its various firewall modes, but the screen shot you supplied implies that only TCP ports 119, 123 are allowed for outbound connections in Maximum Security mode. Typically, the NTP service does sync operations using UDP; if the DPC3939 is blocking those UDP ports for outbound traffic, then it will be very difficult to sync with most Internet NTP services.

And FYI, doing an ICMP ping to a server in no way indicates whether any specific service is available on that server.

Do you have some specific reason for wanting to severely limit outbound protocols on such a wide scale? That is usually only something that is done in very restrictive and sensitive corporate and military networks.

EDIT: To illustrate what I mean about NTP normally using UDP instead of TCP, here is a snapshot I just took of my Linux server. You can see that ntpd (the NTP server) does not even listen on TCP, only on UDP port 123:

webhost:/ # netstat -a -n -p --inet --inet6
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      2193/xinetd
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      2107/rpcbind
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      2358/pure-ftpd (SER
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN      2193/xinetd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      2132/cupsd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      2405/master
tcp        0      0 0.0.0.0:3551            0.0.0.0:*               LISTEN      1975/apcupsd
tcp        0      0 0.0.0.0:5801            0.0.0.0:*               LISTEN      2193/xinetd
tcp        0    158 192.168.9.3:23          192.168.9.100:4432      ESTABLISHED 8185/in.telnetd: rw
tcp        0    249 192.168.9.3:42802       199.188.202.39:443      ESTABLISHED 8291/lynx
tcp        0      0 :::111                  :::*                    LISTEN      2107/rpcbind
tcp        0      0 :::80                   :::*                    LISTEN      1403/httpd2-prefork
tcp        0      0 :::21                   :::*                    LISTEN      2358/pure-ftpd (SER
tcp        0      0 ::1:631                 :::*                    LISTEN      2132/cupsd
tcp        0      0 :::25                   :::*                    LISTEN      2405/master
tcp        0      0 :::443                  :::*                    LISTEN      1403/httpd2-prefork
tcp        0      0 2601:5:1f00:571:e291:80 2601:5:1f00:571:e2:3514 ESTABLISHED 21956/httpd2-prefor
tcp        0      0 192.168.9.3:80          180.76.6.66:63097       TIME_WAIT   -
udp        0      0 0.0.0.0:1007            0.0.0.0:*                           2107/rpcbind
udp        0      0 0.0.0.0:111             0.0.0.0:*                           2107/rpcbind
udp        0      0 0.0.0.0:631             0.0.0.0:*                           2132/cupsd
udp        0      0 192.168.9.3:123         0.0.0.0:*                           2280/ntpd
udp        0      0 127.0.0.2:123           0.0.0.0:*                           2280/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*                           2280/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*                           2280/ntpd
udp        0      0 :::1007                 :::*                                2107/rpcbind
udp        0      0 :::111                  :::*                                2107/rpcbind
udp        0      0 2601:5:1f00:571:e29:123 :::*                                2280/ntpd
udp        0      0 ::1:123                 :::*                                2280/ntpd
udp        0      0 fe80::e291:f5ff:fe9:123 :::*                                2280/ntpd
udp        0      0 :::123                  :::*                                2280/ntpd
udp        0      0 :::177                  :::*                                1053/kdm
 
 

Lou_n_Di
Everyone Needs A Hero
Premium Member
join:2001-01-18
Seymour, CT
Technicolor CGM4140

Lou_n_Di

Premium Member

Click for full size
Thanks for the input---
I obviously don't have a proper understanding of the PING process:)
Regarding the security question----I feel more comfortable behind the restrictive hardware and software firewalls I have...
I think I may have jumped the gun---See the attachments---When I powered up the PC, this morning, I noticed that the time sync did indeed work...
BUT-
When I attempt a manual sync I get the error message...
I've obviously interpreted something wrong here....
What's that they say---A little knowledge is dangerous

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

said by Lou_n_Di:

I think I may have jumped the gun---See the attachments---When I powered up the PC, this morning, I noticed that the time sync did indeed work...
BUT-
When I attempt a manual sync I get the error message...

I don't use that particular NTP server, so I can't say with authority; but some NTP services do limit how often a particular IP address can do a time sync. Also even though the Windows time sync uses the standard UDP port 123 for time sync (which apparently the DPC3939 blocks in its highest firewall setting), it may be possible that the Windows NTP client falls back to using TCP during the automatic sync process if a UDP sync fails (I have never had a reason to monitor it to find out).

Lou_n_Di
Everyone Needs A Hero
Premium Member
join:2001-01-18
Seymour, CT

Lou_n_Di

Premium Member

I'll do a bit more reading and checking about. If I find something informative I'll share it with the group. Thanks so much for taking the time to assist me.
Enjoy the new day!