On Fri, 14 Feb 2014 05:18:35 +0600 Nyamul Hassan <[email protected]> wrote:
> From the documentation, and all literature that I can find on the > internet, it seems any remote client who needs to talk to our NTP > servers on UDP 123, must also originate the request from UDP 123. > Considering this, we have firewalled any traffic for/from UDP 123 on > our servers that does not start/end in UDP 123 on the remote machines. > > Could someone confirm if this is correct? Or are we blocking > legitimate reqeusts as well? This is an incorrect assumption. While many systems, particularly those based on the ntpd reference implementation do just as you describe, others may not for at least a couple of reasons. One reason is simply different implementations may use a different source port selection strategy. I believe openntpd.org for example is just such an implementation. Another reason are NAP/PAT gateways that rewrite source ports between some address/port perimeter where NTP traffic may traverse. It is also the case, but probably less important for your purposes, that expected and legitimate mode 6/7 messages from tools such as ntpdc and ntpq would use other ports. John _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
