<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p>NTP over IPv6 over GRE (i.e. a tunnelbroker.net connection) is not blocked and works perfectly. That's how I worked around it at Avant :-).</p>
<p>-Adam</p>
<p><br /></p>
<p>On 2019-01-25 13:27, Gilles Detillieux wrote:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0"><!-- html ignored --> <!-- head ignored --><!-- meta ignored --> I had an issue with NTP port 123 being blocked when switching from MTS's phone-line based ADSL service to their fibre based "VDSL" service several years ago (well before the Bell takeover). Colin is right: they wanted to block NTP amplification attacks and went way overboard. Even after the threat had pretty much passed, they refused to relax that restriction on their home fibre Internet service. Apparently the only solution is to use MTS's own NTP server. I think it's ntp.mts.net, but I'm not at home now so I can neither check my NTP settings, nor verify that it's still working correctly. It's a pain for devices where you can't change the NTP server setting, because there's really no other recourse but to live with inaccurate clocks. At least my phone can sync off of LTE.<br /> <br />
<div class="moz-cite-prefix">On 1/25/19 9:16 AM, Wyatt Zacharias wrote:</div>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div dir="ltr">Our "high-end" fibre business internet from MTS at work hasn't blocked any NTP traffic.
<div>Our internal NTP servers sync out on port 123, and it's all been allowed so far. <br />
<div>
<div>
<div class="gmail_signature" dir="ltr">
<div dir="ltr">
<div> </div>
<div>--</div>
Wyatt Zacharias
<div> </div>
</div>
</div>
</div>
</div>
</div>
</div>
<br />
<div class="gmail_quote">
<div class="gmail_attr" dir="ltr">On Fri, Jan 25, 2019 at 8:55 AM Colin Stanners <<a href="mailto:cstanners@gmail.com">cstanners@gmail.com</a>> wrote:</div>
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;">
<div dir="ltr">
<div dir="ltr">Likely they're trying to block NTP amplification attacks, <a href="https://www.incapsula.com/ddos/attack-glossary/ntp-amplification.html" target="_blank" rel="noopener noreferrer">https://www.incapsula.com/ddos/attack-glossary/ntp-amplification.html</a> , and they went overboard on the firewall rule.</div>
</div>
<br />
<div class="gmail_quote">
<div class="gmail-m_84717653751862293gmail_attr" dir="ltr">On Fri, Jan 25, 2019 at 8:51 AM John Lange <<a href="mailto:john@johnlange.ca">john@johnlange.ca</a>> wrote:</div>
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;">
<div dir="ltr">One of my favorite sayings is "never suspect a conspiracy, that which can be explained by incompetence". This is likely an accidental side effect of something else they've done because unless they are now trying to sell you some kind of Bell branded time-sync service, I can't think of any business reason why they would do this intentionally.<br />
<div> </div>
<div>Although, one thing I can think of is, perhaps there is a whole lot of unsecured NTP on their network being actively exploited?</div>
<div> </div>
<div>Might be worth going through the pain of opening a ticket to see if you can get an official answer. I believe the CRTC regulations prevent them from arbitrarily manipulating, blocking, or shaping the network traffic without disclosing what they are doing.</div>
<div> </div>
<div>John</div>
</div>
<br />
<div class="gmail_quote">
<div class="gmail-m_84717653751862293gmail-m_3667329955431893700gmail_attr" dir="ltr">On Fri, Jan 25, 2019 at 4:55 AM Trevor Cordes <<a href="mailto:trevor@tecnopolis.ca">trevor@tecnopolis.ca</a>> wrote:</div>
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left: 1px solid #cccccc; padding-left: 1ex;">On 2019-01-25 Trevor Cordes wrote:<br /> > Looks like chrony (and others) lets you specify src port, but I'm<br /> > loathe to uproot the system I know because Bell is braindead. (MTS<br /> > didn't use to block it, and block-happy Shaw does not block it.)<br /> <br /> Epiphany moment: iptables can probably solve this. 20 minutes later:<br /> <br /> iptables -t mangle -A OUTPUT -o $iext -p udp --sport 123 --dport 123 -j MARK --set-mark 30<br /> iptables -t nat -A POSTROUTING -p udp -m mark --mark 30 -j SNAT --to-source :60000-61000<br /> <br /> Works perfectly! ntpd now syncs with peers. ntpdate doesn't need -u.<br /> I don't need to switch to chrony. And I don't need to wait for ntpd to<br /> add this feature*. Go take a hike Bell!!!<br /> <br /> *<a href="http://bugs.ntp.org/show_bug.cgi?id=1109" target="_blank" rel="noopener noreferrer">http://bugs.ntp.org/show_bug.cgi?id=1109</a> ... looks like never<br /> <br /> Note, it could be just 1 rule, but I used 2 to make sure that I only<br /> SNAT packets originating from within the actual firewall/router itself,<br /> and not packets being forwarded from within the internal LAN (PC's). I<br /> can't figure out a way to specify "really originated locally" other<br /> than with mark, but I'm open to ideas. It's not as easy as it sounds<br /> with multiple interfaces on the box, unless there's a trick I'm missing.<br /> <br /> If I wanted internal LAN PCs to also have their traffic go through, I'd<br /> need to use a -j MASQUERADE (it's a dynamic IP) in an extra rule and<br /> change the syntax slightly. Since all internal PCs should be set to<br /> use the firewall as ntp server, this shouldn't be a problem (in fact<br /> could help me id broken PC ntp setups).<br /> _______________________________________________<br /> Roundtable mailing list<br /> <a href="mailto:Roundtable@muug.ca">Roundtable@muug.ca</a><br /> <a href="https://muug.ca/mailman/listinfo/roundtable" target="_blank" rel="noopener noreferrer">https://muug.ca/mailman/listinfo/roundtable</a></blockquote>
</div>
<br clear="all" />
<div> </div>
-- <br />
<div class="gmail-m_84717653751862293gmail-m_3667329955431893700gmail_signature" dir="ltr">
<div dir="ltr">
<div>John Lange<br /> </div>
</div>
</div>
_______________________________________________<br /> Roundtable mailing list<br /> <a href="mailto:Roundtable@muug.ca">Roundtable@muug.ca</a><br /> <a href="https://muug.ca/mailman/listinfo/roundtable" target="_blank" rel="noopener noreferrer">https://muug.ca/mailman/listinfo/roundtable</a></blockquote>
</div>
_______________________________________________<br /> Roundtable mailing list<br /> <a href="mailto:Roundtable@muug.ca">Roundtable@muug.ca</a><br /> <a href="https://muug.ca/mailman/listinfo/roundtable" target="_blank" rel="noopener noreferrer">https://muug.ca/mailman/listinfo/roundtable</a></blockquote>
</div>
<br /><fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre">_______________________________________________
Roundtable mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Roundtable@muug.ca">Roundtable@muug.ca</a>
<a class="moz-txt-link-freetext" href="https://muug.ca/mailman/listinfo/roundtable" target="_blank" rel="noopener noreferrer">https://muug.ca/mailman/listinfo/roundtable</a>
</pre>
</blockquote>
<br />
<pre class="moz-signature">--
Gilles R. Detillieux E-mail: <a class="moz-txt-link-rfc2396E" href="mailto:grdetil@scrc.umanitoba.ca"><grdetil@scrc.umanitoba.ca></a>
Spinal Cord Research Centre WWW: <a class="moz-txt-link-freetext" href="http://www.scrc.umanitoba.ca/" target="_blank" rel="noopener noreferrer">http://www.scrc.umanitoba.ca/</a>
Dept. of Physiology and Pathophysiology, Rady Faculty of Health Sciences,
Univ. of Manitoba Winnipeg, MB R3E 0J9 (Canada)
</pre>
<!-- html ignored --><br />
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">_______________________________________________<br /> Roundtable mailing list<br /> <a href="mailto:Roundtable@muug.ca">Roundtable@muug.ca</a><br /> <a href="https://muug.ca/mailman/listinfo/roundtable" target="_blank" rel="noopener noreferrer">https://muug.ca/mailman/listinfo/roundtable</a></div>
</blockquote>
<p><br /></p>
</body></html>