[ntp:questions] Re: Configuring a server and clients behind a firewall

Steve Kostecke kostecke at ntp.isc.org
Wed Feb 2 16:31:12 UTC 2005

On 2005-02-02, Ronan Flood <ronan at noc.ulcc.ac.uk> wrote:

> Sure, I simply disagreed with Steve Kostecke's comment:
>   If you do want to use restrictions you will not be able to
>   use server host names that resolve to multiple IP addresses (e.g.
>   *.pool.ntp.org).
> I think it is not necessary to run one's own ntpd as an open server
> just to use the pool servers.

If you wish to use any remote time server hostname which resolves to
multiple IP addreses you will not be able to use a default restriction
which blocks time service (e.g. "ignore" or "noserve") unless you
include "relaxed" restriction lines, or exceptions, for all possible IP
addresses that hostname resolves to. This is hardly practical with the
pool servers.

There are other ways to control access to your ntpd besides
restrictions. You could place your ntpd behind a firewall which only
admits replies to internally initiated connections. This would allow you
to use the pool servers but would prevent external access to your ntpd
without the use of any ntpd restrictions.

Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/

More information about the questions mailing list