NTP is fine as it uses port 123 for both source and destination port.
As for BIND, it's not quite as simple as that. One problem I've run into
is that your firewall host will typically run named, which implies that
UDP socket 23 is bound to it. If you want to point nslookup at
another server, you can't if your incoming filters only allow dest port 23 --
nslookup ends up using a source port >1023 which results in the following:
> server ns.nic.ddn.mil.
Default Server: ns.nic.ddn.mil
> set type=ns
*** Request to ns.nic.ddn.mil timed-out