Steve Bellovin <smb @
# I haven't looked at NTP yet; none of the clients I've set up firewalls
# for have requested it. If it uses a random port for one end of the
# connection, I don't see any safe way to let NTP traffic through a
# firewall that only looks at destination addresses; if you do, you'll
# also end up exposing all RPC-based services, like YP and so forth.
# The essential use of ntp -- keeping time synchronization -- uses port 123
# on both ends. But other uses -- queries to remote time servers, or
# forcing the right time when rebooting -- use random inside ports.
Then we should be able to deal with NTP the same way we deal with DNS:
allow server-to-server connections, and to hell with client-to-server
connections across the filtering wall. There are good reasons that
you might want to do client-to-server DNS connections across a filtering
wall (using "nslookup" or "dig" to try to track down how your server
is getting bogus data from another server on the other side of the
filter, for instance), but I don't know if that's such an issue for NTP.
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041