Hi, I found out that most so-called "bozos that query every second" where in fact proxies that give access to the internet to several machines through 1 IP.
Obviously, the proxy admin should set up its own ntp servers, but here is a tip for proxy configuration (MASQUERADE types) for well aware proxy admins (I don't remember seeing it elsewhere): TIP : catch all outgoing connections to ports 123, 37 and 13 and redirect them to your own ntp servers. This way, it doesn't matter how the machines you are fronting are configured, they all end up querying your own ntp servers. So zero reconfiguration of your client machines is needed, clients do not need to be reconfigured with your own ntp servers IPs In linux it looks like this, it depends on your network set-up : This could be extended to any outgoing router even if doesn't masquerade the packets. NTP-IP=your ntp server IP EXTIF3=your network interface to your client machines for redirport in 123 37 13 do $IPTABLES -A FORWARD -i $EXTIF3 -p tcp --dport $redirport -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -s ! $NTP-IP -d 0.0.0.0/0 --dport $redirport \ -j DNAT --to $NTP-IP:$redirport $IPTABLES -A FORWARD -i $EXTIF3 -p udp --dport $redirport -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p udp -s ! $NTP-IP -d 0.0.0.0/0 --dport $redirport \ -j DNAT --to $NTP-IP:$redirport done Louis Goulet [EMAIL PROTECTED] cell: (418) 564-3527 _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
