[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ACLs and policies for NTP servers

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everybody,

	How are you handling NTP servers on your networks? :)

	I'm working on some adjustments for a mixed environment, they
have something like 30-40 server (most Debian GNU/Linux with a few
Microsoft Windows) and 200-300 workstations (most Microsoft Windows,
with a few Debian GNU/Linux and MacOS 9/X).

	We are planning to have a NTP server on the DMZ for the
server with public IPs and another NTP server to the LAN for the
internal servers and all the workstations.

	The company agreed to take part in the pool.ntp.org and I'm
planning to use ntp-simple on all valid servers, but only one of them
would be public accessible. Considering that, I'm still unsure about
how is the best/proper way to restrict the servers to only my DMZ and
in the public server allow everybody to access it.

	Any hints or recommended configuration?

	I did check the ntp.org documentation and NTP information in
Debian wiki, but after some tests, I was unhappy with the outcome (it
appears that the main server was not allowing external updates).

	So, the plan is:

	NTP-PUB-SERVER would allow people from outside company to use
	the NTP, it is the main NTP server for the company. All the
	other valid IP servers would use it as the primary NTP server
	but would block "outside connections".

	NTP-LAN-Server would use NTP-PUB-SERVER and would be responsible
	for the LAN NTP service, the LAN servers would use it and the
	NTP-PUB-SERVER as NTP Server.


	Is it reasonable? Should I use iptables rules? Or NTP restrict
ones? I would like to have it right because we want the NTP-PUB-SERVER
to be useful for other people that needs NTP server in South America
(Brazil). But I would like to keep other valid IP server protected to
avoid abuse.


	Kind regards,

- --
Felipe Augusto van de Wiel (faw)
"Debian. Freedom to code. Code to freedom!"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF1JhCCjAO0JDlykYRAqcRAKCYHYVviN656toeOn18E9G5OpSuEwCfbk4i
IrnoW8fyRSlz2qvHMzsvZPI=
=ylWz
-----END PGP SIGNATURE-----
Reply to: