[ntp:questions] Re: Configuring a server and clients behind a firewall

Ronan Flood ronan at noc.ulcc.ac.uk
Tue Feb 1 18:14:04 UTC 2005


Steve Kostecke <kostecke at ntp.isc.org> wrote:

> > Isn't that a bit sweeping?  You should be able to use, say,
> >
> >   restrict default nomodify notrap nopeer
> >   restrict 127.0.0.1
> 
> True. But if you understand how things like remote modification work

Apologies if my understanding is less than perfect :-/

> it's obvious that "nomodify" is redundant.

Because it requires authorization anyway, OK.

> Ditto for "nopeer".

I thought that was so that someone else couldn't put

  peer <yourserver>

in their ntp.conf and have you accept time from them -- that, or the
equivalent, seems to happen to people with some Windows clients.
Perhaps this is no longer required; in which version, though?

> As for
> traps, that's a monitoring feature for which there are no known clients
> outside of a script in the NTP distribution.

Which is publically available, so no harm turning them off ...

> > without affecting anything, and maybe also add noserve and/or noquery
> > to the default depending on how tightly controlled you want to be.
> 
> "noserve" blocks time packets and puts you back in the position of
> needing to know the IP addresses of your remote time servers.

It blocks clients requesting time from your server, not time responses
to your server from its upstreams, surely?

> "noquery" should be considered "user-hostile" if you are supplying time
> to others. Would you believe, or want to use, a public time server that
> refused to disclose its time sources?

See "depending on how tightly controlled you want to be": what if it's
not intended to be public?  On a private server what you really want
is "restrict default ignore", but that would block access to named/pool
servers.  Hence the explicit list of options: to block everything you
can without having to list your servers by IP with tailored restricts.

-- 
                      Ronan Flood <R.Flood at noc.ulcc.ac.uk>
                        working for but not speaking for
             Network Services, University of London Computer Centre
     (which means: don't bother ULCC if I've said something you don't like)



More information about the questions mailing list