Hello, Fabian, > ntpd is doing the rate limiting by itself just fine. You do not need > to have a firewall in front of it for doing rate limiting.
I disagree. This is true only if you have a VERY recent version of ntpd. So recent, it hasn't been released, at least not as of Dec 17. Compare http://lists.ntp.org/pipermail/pool/2013-December/006724.html . Older versions of ntpd keep state only for 600 clients. If you have more clients than that, the build-in rate limiting of ntpd becomes overloaded. You are likely to have more clients than that, once you let your ntpd enter the pool. On my particular pool nptd, I enforce an iptables rate limit of "less than 10 packets in 50 seconds". This rate limiting simply drops all packets from clients as long as they send faster than that. I have described my setup in some length at http://lists.ntp.org/pipermail/pool/2013-December/006720.html . Right now, while I write this, my iptables-level rate limiting has 1345 clients on record that have tried to send faster than that. The problem: Many of the clients out there are so ill behaved they keep at it, in short interval, if no answer ever comes back. My rate limiting causes some 18% of the total incoming NTP traffic to be dropped. In essence, both my rate limiting and those client play a rather pointless game. They both following the old management rule ;-) "If it doesn't work, do more of the same." Regards, Andreas _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
