[ntp:questions] Re: Configuring a server and clients behind a firewall
ronan at noc.ulcc.ac.uk
Wed Feb 2 18:00:01 UTC 2005
Steve Kostecke <kostecke at ntp.isc.org> wrote:
> If you wish to use any remote time server hostname which resolves to
> multiple IP addreses you will not be able to use a default restriction
> which blocks time service (e.g. "ignore" or "noserve") unless you
> include "relaxed" restriction lines, or exceptions, for all possible IP
> addresses that hostname resolves to. This is hardly practical with the
> pool servers.
Yes, I realise this now -- see my apologetic post :-/
Seems to me that "noserve" would be more useful if it did block client
requests for time but allowed server responses for time, as I thought.
> There are other ways to control access to your ntpd besides
> restrictions. You could place your ntpd behind a firewall which only
> admits replies to internally initiated connections. This would allow you
> to use the pool servers but would prevent external access to your ntpd
> without the use of any ntpd restrictions.
Aye, a stateful firewall. I have similar in place on some DNS servers.
Ronan Flood <R.Flood at noc.ulcc.ac.uk>
working for but not speaking for
Network Services, University of London Computer Centre
(which means: don't bother ULCC if I've said something you don't like)
More information about the questions