NIST logo
*
Bookmark and Share

NIST Internet Time Service (Information about firewalls)


A firewall is a device that can protect your computer by selectively blocking connections from the Internet. A firewall can be built using hardware, software, or a combination of the two, and some operating systems (such as Windows XP and Linux) contain firewall software as part of the operating system itself.

There are a number of points to consider if you have any type of firewall and are planning to use it with the NIST Internet Time service.  You must understand a bit about how computers communicate over the Internet in order to be able to configure your firewall properly.

There are 4 parameters that specify how a client program communicates with a remote server. The first is the server address, which can be specified using a name, such as time-a.nist.gov or using a series of numbers, such as 129.6.15.28. Both of these specifications are equivalent, although the numerical form is what is actually used by the system - the name is converted to the numerical form automatically. In general, the name is more convenient to use, but the numerical form requires less overhead to process and is generally preferred if you are going to make many requests to the same server.
 
The second parameter is the protocol, which specifies the format of the messages that are exchanged. The NIST servers support two common protocols: tcp, the transmission control protocol, and udp, the user datagram protocol. Finally, the third and fourth parameters are the port numbers on the client and the server. The server port number specifies which program on the NIST server will actually handle your request and the client port number specifies which program on your system will handle the response.

The port number on your system is arbitrary, and is usually chosen at random by your system each time the client program prepares to make a request for the time. Therefore, it is likely to vary from one request to another. However, the NIST time servers will only listen for and respond to requests addressed to a few specific port numbers and protocols.  These combinations are:

• udp port 123, which is used by the network time protocol and the simple network time protocol.  The NIST client software can be configured to use this port, but does not use it by default.

• tcp port 13, which is used by the NIST client software by default and by other programs that use the “daytime” protocol.

•tcp port 37 and udp port 37, which are used by DATE, RDATE, SDATE and by other programs that use the “time” protocol.

In order to successfully access the NIST time servers, your firewall must allow outbound connections via the remote port and protocol combination that you will be using.  The port number on your system will probably vary from one request to another, and you will probably have to allow messages from any port number on your system to pass through the firewall if it is addressed to one of the specific ports on the NIST system, and to allow messages addressed to any port on your system to go through the firewall if it is coming back from one of these specific time service ports.

It is generally easier to configure a firewall when your client uses the TCP-based daytime format, since TCP communication implicitly associates a response from our time server with the request that solicited it, and the firewall is less likely to block a response to a request that originated from the local system. (The NISTIME client software uses this communication format by default.) However, this is not always true, and it is sometimes easier to use the UDP-based Network Time Protocol (NTP) format. Since this format is very widely used, many firewalls will pass messages in this format by default.

The NISTIME client software can use either of these formats, and you should try the NTP format if the firewall will not pass the TCP-based messages that are used by default. The choice between the two formats is made using the File | Select Server menu. Each server on the list can be configured to be queried in either format.  After you have configured the servers, you should save the configuration using File | Save Config, so that you don't have to select these options when you run the program again.

If these connections are blocked, the program will not receive a response to a time request and will usually report an error. In addition, some firewalls will not associate the response from the server with the message that requested it, and will treat the response as an unsolicited “attack.”  You should consider this possibility if you see many “attacks” that seem to originate from one of the time service ports listed above.  Finally, many DATE, RDATE and SDATE programs have poor error handling capabilities, and may set the time on your system to a strange value (often in the year 2036) if the response is blocked or garbled. We do not recommend any of these programs for this reason.



For questions or more information about the NIST Internet Time Service, contact Judah Levine.