[ntp:questions] Restrict statements and the "pool" directive

Rob nomail at example.com
Sun Dec 21 12:04:34 UTC 2014

David Woolley <david at ex.djwhome.demon.invalid> wrote:
> On 21/12/14 11:24, Rob wrote:
>> Anyway, I consider it a bug.  I don't want to lift restrictions to
>> arbitrary systems selected from a pool.  So, out went the pool command.
> Why do you want to specify pool servers if you want to restrict their 
> use so that you cannot use them?
> When people say lift restrictions here, they mean lift those which 
> prevent the use as a server, not lift all restrictions.  Unless you hare 
> using a blunderbuss approach to restrictions, or using "ignore" you 
> should not be blocking the access needed to act as a client.

No, I want to have restrictions for everyone outside like this:
restrict default notrap nomodify nopeer noquery

That means I don't accept that anyone outside does something that may
modify my server (including setting up a "peer" relationship).

That does not preclude the use of an outside server, or the outside use
of my server as a reference.

Now, when using the "pool" command, those outside servers that are working
perfectly fine with the "server" command suddenly don't work, as the
original poster already described.  But why?  There is nothing different
between using a server via "server" or via "pool", so why would there be
differences in required restrictions?

It appears to be because of use of existing code that happens to check
the restrict.  I.e., it is a bug.

> I think the original question on this thread is much more likely to be 
> due to a DNS problem than one in using restrict, as I cannot see 
> anything in those restrictions which would prevent client access to the 
> pool.

Yes, that is the problem!  You cannot see anything there, the problem
is in the code.  And it worked ok in older versions, so people are
surprised when they (forcibly...) upgrade their ntpd and are suddenly
faced with this problem.

More information about the questions mailing list