On Thu, May 03, 2007 at 01:40:38PM -0400, [EMAIL PROTECTED] wrote: > > On Thu, 3 May 2007, mark kraitchman wrote: > > > We just received an an explanation as to why some of the > > Roulette testbed nodes on the 128.32.130.0/25 were making > > requests to NTP servers outside Berkeley: > > > > "For some reason the ntpd on the embedded linux was working with a > > predefined host list and was ignoring /etc/ntp.conf unless it > > was explicitly included on the ntpd command line. They're now all > > configured to query only the ntpd on the local router." > > > > mark kraitchman (for [EMAIL PROTECTED]) > > _______________________________________________ > > timekeepers mailing list > > [email protected] > > https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers > > > > Hello, > > I suggested the following several times but nobody seems to pay attention. > > I suggest that your outgoing router catches all outgoing requests to > ntp and redirects them to itself. This way, you do not have to configure all > your > devices manually like you seem to have done. > > As a bonus, you get 100% of the requests handled by your router not just > the requests from devices properly configured. > > If your router redirects the requests to itself, it doesn't matter > anymore which hosts are configured within the devices. > > Anybody ? Anything wrong with what I am suggesting ??
What you are describing, I would call a firewall. It is supposed to protect those in other compartments when things blow up. In an ideal world, it wouldn't interfere with normal usage, whatever that is. And, in an ideal world, it wouldn't be used as an excuse to allow other stuff to remain broken: that path leads to trouble. > If not, why isn't anybody else seeming to be doing or recommending this ? plenty of people promote the use of firewalls. > Could catching udp 123 outgoing request interfere with other applications ? The simple system you describe sounds like it is immediately going to screw with the expectactions of anyone carefully and deliberately using port 123 for anything but the simplest purpose, eg: checking one source against another. why not just block 123 at the firewall and provide an ntp service ? Regards, Paddy _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
