Howard Lowndes was once rumoured to have said:
> On Wed, 28 Feb 2001, Crossfire wrote:
>> Howard Lowndes was once rumoured to have said:
>>> Can you do stateful inspections on ntp though? It runs on udp. Is this
>>> possible? You can define what servers you will accept ntp from, but
>>> surely the source IP could be easily spoofed anyway. I don't know how you
>>> would go trying to do an auth transfer from, say, CSIRO.
>>
>> Yes. NTP is very simple protocol.
>>
>> You open the return path once you send the NTP "request" packet, and
>> close it within a reasonable timeframe. If you're getting a large
>> number of reply packets any other time, you just block, and don't
>> open.
>
> I can see how this would be done if you were using something like cron,
> ipchains and ntpdate to query the server - something like "cron, include
> ipchain ACCEPT rule, ntpdate, sleep for a few seconds, delete ipchain
> rule", but what if you want to do the auto synch thing with your server as
> a strata server. In this case the synch timing is handled by the ntpd
> daemon itself, or perhaps the ntpd daemon shouldn't be used like this.
Hence why you use stateful inspection firewalls, not ipchains.
ipchains is completely unflexible in this regard.
C.
--
--==============================================--
Crossfire | This email was brought to you
[EMAIL PROTECTED] | on 100% Recycled Electrons
--==============================================--
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
