I'm wondering how to properly configure AWS security to allow chrony to sync system time on a CentOS 7 instance.
I was running an earlier version of CentOS 7, which used chrony 1.29.1, and it worked with the below settings.
Instance Security Group: Outgoing UDP on port 123
Network ACL: Incoming UDP on port 123, and outgoing UDP on port 123.
However, when running yum update, or launching a new instance with the latest CentOS 7 release, which includes chrony 2.1.1, I can only get it to sync with the below configuration.
Instance Security Group: Outgoing UDP on port 123
Network ACL: Incoming UDP on all ports, and outgoing UDP on port 123.
What's going on here? Do I really need to allow incoming UDP on all ports for the network ACL now? Is this safe? I'm going to assume yes, because my security group doesn't allow incoming UDP traffic unless it previously established an outgoing connection, right?
Thanks.
Best Answer
No, because acquisitionport can be configured.
Even if the software didn't allow for such convenience, and a firewall didn't allow the return traffic of a flow, you still could open just a ephemeral port range and keep well known services closed.