[Pool] Firewall recommendations for ntp server?

Tore Anderson tore at fud.no
Fri May 8 05:10:27 UTC 2015


* <mrex at tranzeo.com>

> 3. Disable connection tracking altogether (I think the best solution,
> no?)

This. At least do it just for your NTP traffic. Since NTP is UDP,
there's in reality no "connections" to track, and netfilter can't
remove an active flow immediately after it's over (since UDP, unlike
TCP, gives no hint to third-party observers like netfilter that "this
conversation is over"). So they all have to time out instead.

Something like this ought to do the trick:

ip{6,}tables -t raw -I PREROUTING -p udp --dport ntp -j NOTRACK
ip{6,}tables -t raw -I OUTPUT -p udp --sport ntp -j NOTRACK

Tore


More information about the pool mailing list