Hello, Hassan, if your server is intended to be a _public_ server, that is, reachable from outside your own private network, you should not restrict requests to source port 123.
I disagree with Mouse's position that one need not bother to serve clients behind NAT. (From where I come from, I consider that a minority and rather extreme position.) If another argument is still needed, blocking requests with source port different from 123 essentially says: The common "ntpdate" utility generates illegitimate traffic when operated with "-d". Personally, I have at times used "ntpdate -d" with several ntp servers to quickly compare how well they agree. I'd say: Rate limiting is the way to go. I personally used iptables for a while, but am back to doing it inside ntpd, so that "KOD" - packets are sent. Do not block on anything that can be forged easily. Regards, Andreas Am 14.02.2014 00:18, schrieb Nyamul Hassan: > Hi, > > Our public NTP servers have started receiving an inordinate amount of NTP > requests. In order to mitigate the problem, we find that a lot of these > queries are originating from or being sent to ports other than 123. > > From the documentation, and all literature that I can find on the internet, > it seems any remote client who needs to talk to our NTP servers on UDP 123, > must also originate the request from UDP 123. Considering this, we have > firewalled any traffic for/from UDP 123 on our servers that does not > start/end in UDP 123 on the remote machines. > > Could someone confirm if this is correct? Or are we blocking legitimate > reqeusts as well? > > Regards > HASSAN > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
