I was thinking of using K9 (see http://www.kaska.demon.co.uk/k9.htm) on the client side. It is available for Windows and Linux, small, easy to install and listens to NTP broadcasts. Therefore, I see no need to allow access the firewall's "xntp" even from my trusted network, as the firewall will provide the NTP broadcasts. Or is there any security issue regarding NTP broadcasts which I missed?

Well, this is from the 'Association Management' page of ntp.org: http://www.eecis.udel.edu/~ntp/ntp_spool/html/assoc.htm ------------ begin quote ----------------------- Broadcast Mode Broadcast mode is intended for configurations involving one or a few servers and a possibly very large client population. A broadcast server is configured using the broadcast command and a local subnet address. A broadcast client is configured using the broadcastclient command, in which case it responds to broadcast messages received on any interface. Since an intruder can impersonate a broadcast server and inject false time values, this mode should always be cryptographically validated. The original NTPv3 authentication scheme is applicable in this mode, as well as the new NTPv4 Autokey proventication scheme. The server generates broadcast messages continuously at intervals specified by the minpoll keyword and with a time-to-live span specified by the ttl keyword. A NTPv4 broadcast client responds to the first proventicated message received by waiting an interval randomized over the minpoll interval, in order to avoid implosion at the server. Then, the client polls the server in burst mode in order to reliably set the host clock and validate the source. This normally results in a volley of eight client/server cycles over a 30-s interval during which both the synchronization and cryptographic protocols run concurrently. When the next broadcast message is received after the volley, the client computes the offset between the apparent broadcast time and the (unicast) client time. This offset is used to compensate for the propagation time between the broadcast server and client. Once the offset is computed, the server continues as before and the client sends no further messages. ------------ end quote ----------------------- If the K9 client uses the same mode of operation, then it will indeed query the NTP daemon on the firewall in burst mode when it starts. This means you can't disallow incoming packets to port 123 on the internal NIC of the firewall. Tobias