I'd like to run a time service like 'xntp' on my firewall machine (Kernel 2.4 w/ iptables, no DMZ) which should be able to

a) connect to public Internet time servers (obviously), b) do so with a minimum security impact, and c) send NTP broadcasts to my internal network.

Looking at b), is NTP a wise protocol to use? Are there more secure protocols? If you have some setup tips or sample 'iptables' scripts to share, that'd be fine. And if there's a FAQ for this which I missed, kindly point me to it. Thank you!

NTP can be configured to be pretty secure. As Kurt already noted, UDP is easy to spoof, but NTP time packets (responses) have to arrive in a pretty small time window not to be discarded by the data grooming algorithm. You should synchronise to several sources to allow the NTP daemon to identify falsetickers. Someone intent on muddling your time would have to impersonate several of the servers you query in order for an attack to succeed. More danger probably lies in a corruption of the daemon itself. It runs as root and a rather nasty buffer overflow (I believe) was discovered rather recently. Looking into the CHANGES files of the 4.0.99m-rc1 release, the authors seem to be making an attempt at cleaning out buffer overflow susceptible code. The other problem is that you can establish control connections to an NTP daemon using the same interface as the programs ntpq and ntpdc from the NTP distro. You should definitely use the access control options of NTP to not allow those from the Internet and from the inside only after successful authentication. More recent versions of the distribution allow you to use public key authentication for NTP time datagrams, but I don't know of any RPM (except my own) that has it compiled in. Tobias