When querying ntp servers with the command ntpdate, I can use the -u argument to make the source port an unrestricted port (port 1024 and above).
With ntpd, which is meant to run in the background, I can't seem to find a way to turn this option on. So the source port is always 123. It's playing around horribly with my firewall configuration.
Is there a configuration option in ntp.conf to make it use a random source port?
Doesn't sound look this is possible...see the ntp troubleshooting page:
If you're going to run ntpd, you need to fix your network/firewall/NAT so that ntpd can have full unrestricted access to UDP port 123 in both directions.
If this is not possible, you may need to run ntpd on the firewall itself, so that it can have full unrestricted access to UDP port 123 in both directions, and then have it serve time to your internal clients.
If that's not possible, your only other option may be to buy the necessary hardware to connect to one or more of your own computers and run your own Stratum 1 time server or buy a pre-packaged Stratum 1 time server.