[ntp:questions] Re: Configuring a server and clients behind a firewall
ronan at noc.ulcc.ac.uk
Tue Feb 1 18:14:04 UTC 2005
Steve Kostecke <kostecke at ntp.isc.org> wrote:
> > Isn't that a bit sweeping? You should be able to use, say,
> > restrict default nomodify notrap nopeer
> > restrict 127.0.0.1
> True. But if you understand how things like remote modification work
Apologies if my understanding is less than perfect :-/
> it's obvious that "nomodify" is redundant.
Because it requires authorization anyway, OK.
> Ditto for "nopeer".
I thought that was so that someone else couldn't put
in their ntp.conf and have you accept time from them -- that, or the
equivalent, seems to happen to people with some Windows clients.
Perhaps this is no longer required; in which version, though?
> As for
> traps, that's a monitoring feature for which there are no known clients
> outside of a script in the NTP distribution.
Which is publically available, so no harm turning them off ...
> > without affecting anything, and maybe also add noserve and/or noquery
> > to the default depending on how tightly controlled you want to be.
> "noserve" blocks time packets and puts you back in the position of
> needing to know the IP addresses of your remote time servers.
It blocks clients requesting time from your server, not time responses
to your server from its upstreams, surely?
> "noquery" should be considered "user-hostile" if you are supplying time
> to others. Would you believe, or want to use, a public time server that
> refused to disclose its time sources?
See "depending on how tightly controlled you want to be": what if it's
not intended to be public? On a private server what you really want
is "restrict default ignore", but that would block access to named/pool
servers. Hence the explicit list of options: to block everything you
can without having to list your servers by IP with tailored restricts.
Ronan Flood <R.Flood at noc.ulcc.ac.uk>
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)
More information about the questions