[ntp:questions] Re: Configuring a server and clients behind a firewall

Ronan Flood ronan at noc.ulcc.ac.uk
Wed Feb 2 14:01:02 UTC 2005

Brad Knowles <brad at stop.mail-abuse.org> wrote:

> >>  "noserve" blocks time packets and puts you back in the position of
> >>  needing to know the IP addresses of your remote time servers.
> >
> >  It blocks clients requesting time from your server, not time responses
> >  to your server from its upstreams, surely?
> 	Why would you configure a server and then tell it to not serve 
> time?  I mean, that would defeat the entire purpose, wouldn't it?

Serve time to whom, that's the issue: without restrictions, ntpd will
operate as a public time server.  The admin might want to offer time
service only to the local LAN; or in the narrowest (and most common?)
case, using ntpd as a client to discipline the host's time, not offer
time service at all.

> >  See "depending on how tightly controlled you want to be": what if it's
> >  not intended to be public?  On a private server what you really want
> >  is "restrict default ignore", but that would block access to named/pool
> >  servers.  Hence the explicit list of options: to block everything you
> >  can without having to list your servers by IP with tailored restricts.
> 	The problem is not in your choosing to do this on an isolated 
> private server.  The problem is in publicly recommending that others 
> do as you have done, when they are much more likely to not fully 
> understand all the consequences.
> 	We have to be careful what kind of behaviour that we recommend 
> that others follow.

Sure, I simply disagreed with Steve Kostecke's comment:

  If you do want to use restrictions you will not be able to
  use server host names that resolve to multiple IP addresses (e.g.

I think it is not necessary to run one's own ntpd as an open server
just to use the pool servers.

                      Ronan Flood <R.Flood at noc.ulcc.ac.uk>
                        working for but not speaking for
             Network Services, University of London Computer Centre
     (which means: don't bother ULCC if I've said something you don't like)

More information about the questions mailing list