From e8e01842f4e578ec427dd8d6f5a5e40b498458af Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 5 Nov 2020 17:13:03 +0100
Subject: Change NTP client to systemd-timesyncd.

(Excluding our NTP master.)  It's simpler, arguably more secure, and
provides enough functionality when only simple client use-cases are
desired.

We allow outgoing connections to 123/udp also on NTP slaves so systemd-timesyncd
can connect to the fallbacks NTP servers.
---
 roles/common/templates/etc/nftables.conf.j2 | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'roles/common/templates/etc/nftables.conf.j2')

diff --git a/roles/common/templates/etc/nftables.conf.j2 b/roles/common/templates/etc/nftables.conf.j2
index c89a136..808383c 100755
--- a/roles/common/templates/etc/nftables.conf.j2
+++ b/roles/common/templates/etc/nftables.conf.j2
@@ -168,7 +168,9 @@ table inet filter {
         # incoming ICMP/ICMPv6 traffic was filtered in the ingress chain already
         meta l4proto { icmp, icmpv6 } counter accept
 
-        udp sport  123 udp dport  123 ct state     related,established accept
+        # NTP (ntpd uses sport 123 but systemd-timesyncd does not)
+        udp sport 123 ct state related,established accept
+
 {% if groups.all | length > 1 %}
         udp sport  500 udp dport  500 ct state new,related,established accept
 {% if groups.NATed | length > 0 %}
@@ -206,7 +208,9 @@ table inet filter {
 
         meta l4proto { icmp, icmpv6 } counter accept
 
-        udp sport  123 udp dport  123 ct state new,related,established accept
+        # NTP (ntpd uses sport 123 but systemd-timesyncd does not)
+        udp dport 123 ct state new,related,established accept
+
 {% if groups.all | length > 1 %}
         udp sport  500 udp dport  500 ct state new,related,established accept
 {% if groups.NATed | length > 0 %}
-- 
cgit v1.2.3