[ntp:questions] 4.2a headaches

Danny Mayer mayer at ntp.isc.org
Thu Jan 5 18:00:14 UTC 2006


Williams, Jeffrey wrote:
> Hi folks,
> 
> I am having some interesting issues with the newer implementation of ntp
> 4.2 versus 4.1.
> 
> Ok, trying to configure a local timeserver on my network (with both
> public and private subnets) that sync's from the public ntp pool and/or
> other stratum 1 and 2 public timeservers, which then other machines on
> my network will use as their timeserver, however since my internet
> connection is not the fastest, not to mention I have other uses for it,
> I don't want to allow  open access to my timeserver.
> 
> Now under 4.1 here is what my primary timeserver's ntp.conf looked like
> (where 1.2.3.4 and 5.6.7.8 are subnets I want to allow to use my
> timeserver):
> 
> server timeserver1.somedomain.com
> server timeserver2.somedomain.com
> server timeserver3.somedomain.com
> server timeserver4.somedomain.com
> server timeserver5.somedomain.com
> 
> driftfile /var/db/ntp.drift
> 
> restrict default noserve notrap nomodify
> restrict 1.2.3.4 mask 255.255.255.248 nomodify notrap
> restrict 5.6.7.8 mask 255.255.255.248 nomodify notrap
> restrict 127.0.0.1
> 
> Now this configuration does not work under 4.2, and from what I can
> gather from the documentation, this is on purpose, and under the new
> rules, you have to add a explicit "restrict" line for each server entry.
> 
> And from my testing this seems to be true, restrict defaults of
> "noserve" and/or "ignore" block sync with the previous listed
> timeservers unless I eliminate the restrict entries altogether, or
> specifically list the each server entries IP address with its own
> restrict line.
> 
> The problem is that you can't use hostnames in a restrict line, and the
> reason we use hostname on server lines is so a hosting party can move
> the time service to a different IP address with out disrupting
> timeservice, not to mention for obvious reasons specific IP listings
> won't work if you want to use the ntp.org ntp server pools.  So if you
> want to sync with pool timeservers and/or use only host names to sync
> with specific public timeservers you have to allow open access to your
> time server?
> 
> So is this the way it is supposed to work? am I making a stupid mistake?
> or is this a bug in 4.2?
> 
Unfortunately, you need to explicitly set each one. You can use the
network mask for IPv4 addresses to help here. In a future version I will
add code to allow packets from the addresses in the server list to go
through, in effect making restrict dynamic based on the resulting IP
address being used. But for now, you're stuck. Is this server available
on the internet or do you want to also restrict internal usage?

Danny



More information about the questions mailing list