[ntp:questions] Re: Configuring a server and clients behind a firewall

Brad Knowles brad at stop.mail-abuse.org
Tue Feb 1 18:37:01 UTC 2005


At 6:14 PM +0000 2005-02-01, Ronan Flood wrote:

>>  Ditto for "nopeer".
>
>  I thought that was so that someone else couldn't put
>
>    peer <yourserver>
>
>  in their ntp.conf and have you accept time from them -- that, or the
>  equivalent, seems to happen to people with some Windows clients.
>  Perhaps this is no longer required; in which version, though?

	For a system to be a functioning peer, this has to be defined on 
both ends.  One machine cannot just "peer" with yours and have yours 
believe them.  Of course, if they know other machines that you have 
peered with, they might be able to do some UDP packet spoofing and 
cause some confusion for your server.  Which is why you want to 
combine "peer" definitions with some authentication.

>>  "noserve" blocks time packets and puts you back in the position of
>>  needing to know the IP addresses of your remote time servers.
>
>  It blocks clients requesting time from your server, not time responses
>  to your server from its upstreams, surely?

	Why would you configure a server and then tell it to not serve 
time?  I mean, that would defeat the entire purpose, wouldn't it?

>  See "depending on how tightly controlled you want to be": what if it's
>  not intended to be public?  On a private server what you really want
>  is "restrict default ignore", but that would block access to named/pool
>  servers.  Hence the explicit list of options: to block everything you
>  can without having to list your servers by IP with tailored restricts.

	The problem is not in your choosing to do this on an isolated 
private server.  The problem is in publicly recommending that others 
do as you have done, when they are much more likely to not fully 
understand all the consequences.

	We have to be careful what kind of behaviour that we recommend 
that others follow.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the questions mailing list