On Sat, Feb 15, 2014 at 9:20 AM, Andreas Krüger <[email protected]>wrote:
> Hello, Hassan, > > if your server is intended to be a _public_ server, that is, reachable > from outside > your own private network, you should not restrict requests to source > port 123. > > I disagree with Mouse's position that one need not bother to serve clients > behind NAT. (From where I come from, I consider that a minority and rather > extreme position.) > > If another argument is still needed, blocking requests with source port > different from 123 essentially says: The common "ntpdate" utility generates > illegitimate traffic when operated with "-d". > Thanks to a friend for digging up the relevant portion of the RFC: http://tools.ietf.org/html/rfc958#appendix-A The source port only needs to be 123 in symmetric mode. Blocking requests with a source port of 123 isn't choosing to accommodate NAT; it has little to do with NAT. It's ignoring the RFC and dropping requests from legitimate clients that don't set up a symmetric association. _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
