[ntp:questions] Re: Configuring a server and clients behind a firewall

Ronan Flood ronan at noc.ulcc.ac.uk
Wed Feb 2 18:00:01 UTC 2005


Steve Kostecke <kostecke at ntp.isc.org> wrote:

> If you wish to use any remote time server hostname which resolves to
> multiple IP addreses you will not be able to use a default restriction
> which blocks time service (e.g. "ignore" or "noserve") unless you
> include "relaxed" restriction lines, or exceptions, for all possible IP
> addresses that hostname resolves to. This is hardly practical with the
> pool servers.

Yes, I realise this now -- see my apologetic post :-/

Seems to me that "noserve" would be more useful if it did block client
requests for time but allowed server responses for time, as I thought.

> There are other ways to control access to your ntpd besides
> restrictions. You could place your ntpd behind a firewall which only
> admits replies to internally initiated connections. This would allow you
> to use the pool servers but would prevent external access to your ntpd
> without the use of any ntpd restrictions.

Aye, a stateful firewall.  I have similar in place on some DNS servers.

-- 
                      Ronan Flood <R.Flood at noc.ulcc.ac.uk>
                        working for but not speaking for
             Network Services, University of London Computer Centre
     (which means: don't bother ULCC if I've said something you don't like)



More information about the questions mailing list