Why does NTP require bi-directional firewall access to UDP port 123?

You only need allow incoming traffic NTP's ports if you are acting as a server, allowing clients to sync to you.

Otherwise, the existance of an NTP state will automatically determine whether the incoming NTP packet is blocked or allowed by an existing firewall state that we initiated.

iptables -A OUTPUT -p udp --sport 123 --dport 123 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Please let me know if the iptables rules are proper. I have no experience with iptables. My NTP client stays synchronized on my pfSense router with only an outgoing allow rule because pfSense is a stateful firewall.