[ntp:questions] problem with "restrict default ignore"

Dave Hart davehart at gmail.com
Fri Jul 30 07:36:56 UTC 2010


On Fri, Jul 30, 2010 at 07:11 UTC, J. Bakshi <joydeep at infoservices.in> wrote:
> I like to secure my ntp daemon with "restrict default ignore"

You didn't ask, but my personal opinion is that is usually overkill
and just causes more pain than it's worth.  I use "restrict default
limited kod notrap".

> but ntp stops synchronizing with this configuration; though I have restrict lines for ntp servers.

Yes, but your 'servers' are *.pool.ntp.org, which DNS names resolve to
a different handful of servers every few minutes.  You don't mention
which version of ntpd, but I'll bet it is not recent enough to add a
restriction for each of several IP addresses a DNS name resolves to.
Instead, I suspect it is using only a single IP address for each
"restrict" line in ntp.conf.  "ntpdc -c reslist" displays the
resulting restriction list.

Since running up-to-date ntpd is heresy to most, I'll first assume you
want to make it work with the version of ntpd you have already.  One
way is to switch from using *.pool.ntp.org to hand-selected servers,
perhaps from:

http://support.ntp.org/bin/view/Servers/StratumTwoTimeServers

Newer ntp-dev releases of ntpd (4.2.7p22 and beyond) have been
enhanced with this specific problem in mind, adding a "restrict
source" directive to configure blanket restrictions for servers listed
in "server", "pool", "manycastclient", and other directives which
configure associations.  If you were to jump to the bleeding edge, you
could replace all your per-server restrict lines with a single
"restrict source notrap noquery".

If you do try ntp-dev, you might also kick the tires of the reworked
"pool" directive, by using it in place of "server" for *.pool.ntp.org
lines.

Cheers,
Dave Hart



More information about the questions mailing list