> One thing though: I was able to retrieve the time from my e-smith server > via the Internet!! NTP is enabled on the external interface. Is this the > way it's ment to be? I would say, yes, it is intentional, at least from an NTP design standpoint. First, I am not sure I see any major risk with it being exposed. I guess worst case people are syncing off your server, but there are so many public servers available that is unlikely (and it is only a minor annoyance). I don't know of any NTP specific exploits. Second, is the way NTP is designed to work, though clearly a typical e-smith server would not take advantage of it, is to setup a server and peer "subnet" to maintain accurate time with redundant paths despite network and/or server outages. I won't go into the details, but suffice to say that peers need to communicate with each other if you want 5 9's type reliability. For any of my servers it would take a very serious outage on many different links for a complete loss of syncronization (they may back down one stratum notch if a minor outage occurs). Bottom line, it is incredibly robust and reliable, which is why so many people can trust it. See the xntp doc for more info on NTP subnets if you find it interesting. Anyway, not sure I see a downside, and for at least my purposes, I am glad it isn't. If someone brings up a good reason why it should be blocked, I probably would not argue, as I doubt many (perhaps any) e-snith users other than me are actually taking advantage of NTP to it's fullest. I am pretty sure the way the ntp.conf is configured (with the keys disabled) that all the remote configuration features are disabled, but I will take the time to play with that to be sure. JP
