Have you removed the default lan allow rule that should allow all traffic out of your lan by default?
I disabled it.
You should not need a special rule to allow clients on your lan to query ntp from your pfsense box.
I think in the same way, but in the firewall log there is an information about blocking the conenction:
Jun 21 22:41:23 LAN WindowsHost:123 pfSenseBox:123 UDP
Jun 21 22:47:33 LAN LinuxHost:37064 pfSenseBox:123 UDP
Here is the output from one of the client trying to sync time from pfsense:
ntpdate -d (any_address)
21 Jun 22:39:38 ntpdate: ntpdate email@example.com
Fri Nov 18 13:21:21 UTC 2011 (1)
Looking for host (any_address) and service ntp
host found : (any_address)
(any_address): Server dropped: no data
server (any_address), port 123
stratum 0, precision 0, leap 00, trust 000
refid [(any_address)], delay 0.00000, dispersion 64.00000
transmitted 4, in filter 4
reference time: 00000000.00000000 Thu, Feb 7 2036 7:28:16.000
originate timestamp: 00000000.00000000 Thu, Feb 7 2036 7:28:16.000
transmit timestamp: d38e050d.43d199bb Thu, Jun 21 2012 22:39:41.264
filter delay: 0.00000 0.00000 0.00000 0.00000
0.00000 0.00000 0.00000 0.00000
filter offset: 0.000000 0.000000 0.000000 0.000000
0.000000 0.000000 0.000000 0.000000
delay 0.00000, dispersion 64.00000
all outgoing connections from this machine are allowed. Windows client can't sync too.
It doesn't matter if I try to sync with pfSense or some other external host.
Is NTP running on your pfsense? What version of pfsense are you running, I know they have made changes in 2.1 that changed to actual ntp vs openntp.
Yes, it's running on pfSense too. My version is: 2.0.1-RELEASE (amd64), built on Mon Dec 12 18:43:51 EST 2011, FreeBSD 8.1-RELEASE-p6