[ntp:questions] NTP on small 100% Linux LAN : reasonable access control policy ?

David Lord snews at lordynet.org
Sun Aug 1 15:11:22 UTC 2010


Niki Kovacs wrote:
> David Lord a écrit :
>>
>> # servers previous to July 2010 had: restrict default noquery
>> # but now to reduce number of sites sending too frequent polls
>> restrict default kod nomodify notrap nopeer
>>
>> # for local public lan segments
>> restrict a.b.c.d mask 255.255.255.0
>> restrict e.f.g.h mask 255.255.255.0
>>
>> # for private lan segments
>> restrict s.t.u.v mask 255.255.255.0
>> restrict w.x.y.z mask 255.255.255.0
>>
>> # for localhost
>> restrict 127.0.0.1
>> restrict -6 ::1 # only if ipv6 enabled
>>
>> Servers have ntp traffic restricted by firewall rules and
>> in addition clients are behind NAT.
>>
>> Client pcs (including laptops when used remote) are pointed to
>> my own servers. I think some have same restrict lines as
>> servers and others may have minimum:
>> restrict default noquery
>> restrict 127.0.0.1
>> restrict -6 ::1 # only if ipv6 enabled
>>
> 
> Oh wow. Thanks very much for that detailed explanation. I'll try it out 
> this afternoon.

Above server configuration is same as I use but it is open
to public access if you aren't firewalled or behind nat.
Your 'restrict default ignore' for server config could be a
safer option if you are open to the internet. I made use of
the firewall default deny for incoming connections up until
adding rules to allow ntp requests some weeks before I
joined the pool. I didn't notice any incoming requests other
than from my own remote connections during the few weeks
period before my ips were added to the pool dns rotation.


David




More information about the questions mailing list