Interesting….
Just tested this on a somewhat brand new install of FC22 (fully updated) and I’m getting the same results. I do have port 123 open on the firewall INBOUND as well as the server (that is any udp port can connect to my machines at port 123) but based on the TCPDUMP I just did it looks like chrony is connecting using an unprivileged port, which most likely means (and I’ve come across a few articles that say as much) the firewall rule needs to allow incoming UDP port 123 to ANY port on the server.
I can see why firewall admins would be VERY apprehensive about doing this, and I’m not in the office so I don’t want to play with my firewall rules remotely. I’ll be in tomorrow and I’ll test my theory by opening source port 123 to any port and see if this solves the problem.
OT: If it does, I would have to agree with the few articles I’ve read out there regarding this. IT is a BAD implementation. It all but forces on to simply buy a GPS unit or time server and house it on site.
[root@smtp ~]# tcpdump port 123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp2s2f0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:20:35.435351 IP
smtp.inksystemsinc.com.59841 > repos.lax-noc.com.ntp: NTPv4, Client, length 48
12:20:36.780107 IP
smtp.inksystemsinc.com.58673 > name1.glorb.com.ntp: NTPv4, Client, length 48
12:20:39.177934 IP
smtp.inksystemsinc.com.48109 > time-b.nist.gov.ntp: NTPv4, Client, length 48
12:20:42.249166 IP
smtp.inksystemsinc.com.46548 > time-c.nist.gov.ntp: NTPv4, Client, length 48
12:24:21.798506 IP
smtp.inksystemsinc.com.38782 > clock.trit.net.ntp: NTPv4, Client, length 48
12:24:21.999909 IP
smtp.inksystemsinc.com.39560 > 131.107.13.100.ntp: NTPv4, Client, length 48
12:24:23.009871 IP
smtp.inksystemsinc.com.47688 > origin.towfowi.net.ntp: NTPv4, Client, length 48
12:24:23.211233 IP
smtp.inksystemsinc.com.46101 > deekayen.net.ntp: NTPv4, Client, length 48
12:24:23.813548 IP
smtp.inksystemsinc.com.43697 > clock.trit.net.ntp: NTPv4, Client, length 48
12:24:24.019143 IP
smtp.inksystemsinc.com.35847 > 131.107.13.100.ntp: NTPv4, Client, length 48
12:24:25.044904 IP
smtp.inksystemsinc.com.33086 > origin.towfowi.net.ntp: NTPv4, Client, length 48
12:24:25.248017 IP
smtp.inksystemsinc.com.52609 > deekayen.net.ntp: NTPv4, Client, length 48
12:24:25.842556 IP
smtp.inksystemsinc.com.59576 > clock.trit.net.ntp: NTPv4, Client, length 48
12:24:26.049297 IP
smtp.inksystemsinc.com.43897 > 131.107.13.100.ntp: NTPv4, Client, length 48
12:24:27.074666 IP
smtp.inksystemsinc.com.45592 > origin.towfowi.net.ntp: NTPv4, Client, length 48
12:24:27.287149 IP
smtp.inksystemsinc.com.55627 > deekayen.net.ntp: NTPv4, Client, length 48
12:24:27.863836 IP
smtp.inksystemsinc.com.54775 > clock.trit.net.ntp: NTPv4, Client, length 48
12:24:28.064734 IP
smtp.inksystemsinc.com.42372 > 131.107.13.100.ntp: NTPv4, Client, length 48
12:24:29.107981 IP
smtp.inksystemsinc.com.38735 > origin.towfowi.net.ntp: NTPv4, Client, length 48
12:24:29.309311 IP
smtp.inksystemsinc.com.41803 > deekayen.net.ntp: NTPv4, Client, length 48
12:24:29.885521 IP
smtp.inksystemsinc.com.46028 > clock.trit.net.ntp: NTPv4, Client, length 48
12:24:30.086696 IP
smtp.inksystemsinc.com.52997 > 131.107.13.100.ntp: NTPv4, Client, length 48
12:24:31.134974 IP
smtp.inksystemsinc.com.60018 > origin.towfowi.net.ntp: NTPv4, Client, length 48
12:24:31.336257 IP
smtp.inksystemsinc.com.58666 > deekayen.net.ntp: NTPv4, Client, length 48
12:24:31.889111 IP
smtp.inksystemsinc.com.34483 > clock.trit.net.ntp: NTPv4, Client, length 48
12:24:32.125685 IP
smtp.inksystemsinc.com.50513 > 131.107.13.100.ntp: NTPv4, Client, length 48
12:24:33.160631 IP
smtp.inksystemsinc.com.59358 > origin.towfowi.net.ntp: NTPv4, Client, length 48
12:24:33.362719 IP
smtp.inksystemsinc.com.33979 > deekayen.net.ntp: NTPv4, Client, length 48
12:24:33.889878 IP
smtp.inksystemsinc.com.57796 > clock.trit.net.ntp: NTPv4, Client, length 48
12:24:34.127055 IP
smtp.inksystemsinc.com.58885 > 131.107.13.100.ntp: NTPv4, Client, length 48
12:24:35.189193 IP
smtp.inksystemsinc.com.50615 > origin.towfowi.net.ntp: NTPv4, Client, length 48
12:24:35.391723 IP
smtp.inksystemsinc.com.58513 > deekayen.net.ntp: NTPv4, Client, length 48
12:24:35.916880 IP
smtp.inksystemsinc.com.52794 > clock.trit.net.ntp: NTPv4, Client, length 48
12:24:36.151963 IP
smtp.inksystemsinc.com.41172 > 131.107.13.100.ntp: NTPv4, Client, length 48
12:24:37.219853 IP
smtp.inksystemsinc.com.50053 > origin.towfowi.net.ntp: NTPv4, Client, length 48
12:24:37.421983 IP
smtp.inksystemsinc.com.54911 > deekayen.net.ntp: NTPv4, Client, length 48
12:26:44.993577 IP
smtp.inksystemsinc.com.33387 > clock.trit.net.ntp: NTPv4, Client, length 48
12:26:45.894067 IP
smtp.inksystemsinc.com.37791 > 131.107.13.100.ntp: NTPv4, Client, length 48
12:26:47.006712 IP
smtp.inksystemsinc.com.43237 > origin.towfowi.net.ntp: NTPv4, Client, length 48
12:26:47.459310 IP
smtp.inksystemsinc.com.51999 > deekayen.net.ntp: NTPv4, Client, length 48
12:31:04.623651 IP
smtp.inksystemsinc.com.60481 > clock.trit.net.ntp: NTPv4, Client, length 48
12:31:05.273877 IP
smtp.inksystemsinc.com.47396 > origin.towfowi.net.ntp: NTPv4, Client, length 48
12:31:05.474975 IP
smtp.inksystemsinc.com.43965 > deekayen.net.ntp: NTPv4, Client, length 48
12:31:06.622505 IP
smtp.inksystemsinc.com.60713 > 131.107.13.100.ntp: NTPv4, Client, length 48