>> it seems any remote client who needs to talk to our NTP servers on >> UDP 123, must also originate the request from UDP 123.
>> Could someone confirm if this is correct? Or are we blocking >> legitimate reqeusts as well? > You are blocking legitimate requests as well. One example: traffic > coming from behind NAT firewalls. NAT changes the source port to some > other port. Opinions differ on how `legitimate' such traffic is. My own stance is that anyone doing NAT has earned any resulting brokenness by deliberately corrupting packets in transit. However, I don't think any spec calls for the use of port 123 on both ends of NTP traffic, so even if you agree with my stance I see no reason to think all non-123/123 traffic is due to NAT. That is, at best you're using a heuristic that mostly works - no worse than any other heuristic, but no better, either, really. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML [email protected] / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
