On 3/20/07, Koos van den Hout <[EMAIL PROTECTED]> wrote: > > way I can configure all clients to use *.us.pool.ntp.org time servers > > without having to open up UDP port 123 for all client (which is > > stealthily overloaded by some P2P applications). > > Hmm.. which applications?
Kazaa an Gnucleus at the very least seem to use any available UDP port, at least according to some of these Snort rules: http://tinyurl.com/2s3tgm One of our firewall guys also says he has also seen IM clients use any available UDP port. And yes, users don't have administrative control of their machines, so they can't install software. And we do have an IDS/IPS solution in place. But we do not control all machines that come into our network (conference rooms have DMZ-enabled guest wireless access, for example). In any case, I want any of my machines looking for time to use my internal time servers here, and the pool while on the road. Of course, I could just make my NTP server pool publicly accessible, and have machines always use my NTP pool with the same DNS name(s) internally and externally. Which probably makes the most sense, now that I think about it. > My bit of advice: To avoid issues with DNS caches on clients (especially > windows seems to have weird ideas about caching resolver answers) set > the TTL low. Good idea. -- RPM ========================= All problems can be solved by diplomacy, but violence and treachery are equally effective, and more fun. -Anonymous _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
