I haven't looked at NTP yet; none of the clients I've set up firewalls
for have requested it. If it uses a random port for one end of the
connection, I don't see any safe way to let NTP traffic through a
firewall that only looks at destination addresses; if you do, you'll
also end up exposing all RPC-based services, like YP and so forth.
The essential use of ntp -- keeping time synchronization -- uses port 123
on both ends. But other uses -- queries to remote time servers, or
forcing the right time when rebooting -- use random inside ports.