[ntp:questions] Restrict statements and the "pool" directive

Rob nomail at example.com
Sun Dec 21 14:22:07 UTC 2014


David Taylor <david-taylor at blueyonder.co.uk.invalid> wrote:
> On 21/12/2014 11:17, Terje Mathisen wrote:
> []
>> 'restrict source' is the proper way to do it, as long as you have a
>> version which supports that command.
>>
>> Terje
>
> Thanks, Rob & Terje, that did the job.  Almost!
>
> The except was that if you have a local node defined as a server, and 
> you want that node to be able to issue ntpq commands, it seems that the 
> configuration I suggested blocks this, even adding "query" to the 
> 192.168.0.0 line:
>
> restrict default notrap nomodify nopeer noquery
> restrict 192.168.0.0 mask 255.255.255.0 peer query
>
> so I needed to make it:
>
> restrict default notrap nomodify nopeer query
> restrict 192.168.0.0 mask 255.255.255.0 peer
>
> Perhaps I did something wrong?

Yes, when you want to allow things to the local system you need to add:

restrict 127.0.0.1
restrict ::1

> These systems are unlikely to be connected as Internet-facing servers, 
> so it more a learning exercise for me, but I need to know what to 
> recommend to others.

At least do not recommend others to set default to anything else than
restrict default notrap nomodify nopeer noquery

Allowing query on an external system was common practice until the
undesired folks on the internet found how they could abuse this to
attack others.



More information about the questions mailing list