[ntp:questions] Re: Configuring a server and clients behind a firewall
Ronan Flood
ronan at noc.ulcc.ac.uk
Wed Feb 2 14:01:02 UTC 2005
Brad Knowles <brad at stop.mail-abuse.org> wrote:
> >> "noserve" blocks time packets and puts you back in the position of
> >> needing to know the IP addresses of your remote time servers.
> >
> > It blocks clients requesting time from your server, not time responses
> > to your server from its upstreams, surely?
>
> Why would you configure a server and then tell it to not serve
> time? I mean, that would defeat the entire purpose, wouldn't it?
Serve time to whom, that's the issue: without restrictions, ntpd will
operate as a public time server. The admin might want to offer time
service only to the local LAN; or in the narrowest (and most common?)
case, using ntpd as a client to discipline the host's time, not offer
time service at all.
> > See "depending on how tightly controlled you want to be": what if it's
> > not intended to be public? On a private server what you really want
> > is "restrict default ignore", but that would block access to named/pool
> > servers. Hence the explicit list of options: to block everything you
> > can without having to list your servers by IP with tailored restricts.
>
> The problem is not in your choosing to do this on an isolated
> private server. The problem is in publicly recommending that others
> do as you have done, when they are much more likely to not fully
> understand all the consequences.
>
> We have to be careful what kind of behaviour that we recommend
> that others follow.
Sure, I simply disagreed with Steve Kostecke's comment:
If you do want to use restrictions you will not be able to
use server host names that resolve to multiple IP addresses (e.g.
*.pool.ntp.org).
I think it is not necessary to run one's own ntpd as an open server
just to use the pool servers.
--
Ronan Flood <R.Flood at noc.ulcc.ac.uk>
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)
More information about the questions
mailing list