On Jun 9, 2011, at 9:20 AM, Rob Janssen wrote: [ ... ] > But this discussion was about a monitoring system that sends NTP requests > from high-numbered ports to port 123 on a distant server. > It certainly makes sense to use a connection tracking firewall on such a > system, because if you want to filter using static rules, you will open up > everthing running on the local system and listening on a high-numbered port > to attackers that use source port 123.
It would save time if you'd read the responses which have already been made to this point. While firewalls today do have a lot more memory available than they did fifteen or twenty years ago when I first ran into this particular issue, one still can easily manage to DoS your own firewall by over-flowing the connection state table as a consequence of handling high-volume NTP or DNS traffic via stateful UDP rules. Poorly configured firewalls which can't handle the traffic and drop replies combined with poorly written NTP clients often end up requesting time from NTP pool servers at abusive rates. Regards, -- -Chuck _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
