On Thu, Aug 23, 2012 at 20:40 UTC, Daniel Frank <[email protected]> wrote: > On Wed, 22 Aug 2012 08:37:10 -0500, Andy Wright <[email protected]> > wrote: >> You could also use the "limit" restriction in NTP. > > That sounds good, but will put additional load on ntpd, if not combined > with a firewall.
I believe the opposite is true--if you want to minimize overall work, let ntpd handle ignoring abusive clients. In your configuration, both the packet filter and ntpd are maintaining per-client-address state, and both are doing work for successful queries. If you allow the packet filter to pass all incoming traffic to and responses from port 123, only ntpd will need per-client state and work. Note that ntpd keeps state even without a "limited" restriction, as the state is also used to service mrulist (formerly monlist) queries from ntpq (formerly ntpdc). Cheers, Dave Hart _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
