[ntp:questions] NTP access restrictions IPv6
Philippe Maechler
pmaechler-ml at glattnet.ch
Thu Feb 28 10:48:36 UTC 2019
Hello List
I'm setting up a few pairs of new ntp servers for our network. The setup is
like that:
+---------+ +---------+
+--------| s1-ntp1 | | s1-ntp2 |--------+
| +---------+ +---------+ |
| | | |
| | | |
+--------+ +--------+ +--------+ +--------+
| ntp1-1 | | ntp1-2 | | ntp2-1 | | ntp2-2 |
+--------+ +--------+ +--------+ +--------+
The S1-Servers are talking to 4-10 public NTP Servers in the net. Our and
our customers gear should use the ntpN-N Servers
IPv4 and IPv6 is enabled on all servers. A, AAAA and PTR Records are in
place
Unfortunately the ntpn-n Servers can't sync to the s1 servers over v6 and
I'm having a hard time to figure out why.
tcpdump on s1 shows, that the request come in but are discarded/ignored.
Configuration on S1:
#
# $FreeBSD: releng/11.2/etc/ntp.conf 314531 2017-03-02 01:23:17Z ian $
#
#
# default access restrictions (ignore everything)
restrict default ignore
restrict -6 default ignore
# allow unrestricted access from localhost
restrict 127.0.0.1
restrict -6 ::1
# NTP servers geographically close to you.
server x1.x2.x3.x4 iburst maxpoll 9
server y1.y2.y3.y4 iburst maxpoll 9
.
.
# allow remote servers
restrict x1.x2.x3.x4 nomodify notrap noquery nopeer
restrict y1.y3.y3.y4 nomodify notrap noquery nopeer
.
.
# who will gets timeservices from us
restrict 10.3.5.0 mask 255.255.255.0 nomodify notrap noquery nopeer
restrict 10.20.0.0 mask 255.255.0.0 nomodify notrap noquery nopeer
restrict 10.21.0.0 mask 255.255.0.0 nomodify notrap noquery nopeer
restrict 192.168.3.0 mask 255.255.255.0 nomodify notrap noquery nopeer
restrict 192.168.6.0 mask 255.255.255.0 nomodify notrap noquery nopeer
restrict 10.75.2.0 mask 255.255.255.0 nomodify notrap noquery nopeer
.
.
restrict -6 2001:0DB8::/32 nomodify notrap noquery nopeer
restrict 2001:0DB8::/32 nomodify notrap noquery nopeer
restrict -4 127.0.0.1
server 127.127.1.0
fudge 127.127.1.0 stratum 10
statistics loopstats
statsdir /var/log/ntp/
filegen peerstats file peers type day link enable
filegen loopstats file loops type day link enable
# MRU (Most Recently Used)
mru maxdepth 1200
mru mindepth 60
mru maxage 600
#leapfile "/etc/ntp/leap-seconds"
leapfile "/var/db/ntpd.leap-seconds.list"
The server is starting fine and the log contains nothing special.
Questions:
a. What do you think about the setup? Should S1-NTP1 and S1-NTP2 sync
to each other or not?
b. Did I get the access part (in general) right?
c. Why can't my ntp1-1 host (2001:0DB8:21:10e3::2) not get any time
information from this host? Checked with ntpdate <ipv6 address> -> timeout
d. Where is the difference between "restrict -6 <IPv6 address>" and
"restric <IPv6 address>"? I guess both variants are working (historical
reasons)
NTP Version:
S1 has: ntpd - NTP daemon program - Ver. 4.2.8p11 (will update this to
4.2.8p12 later this week)
ntpN-N already has 4.2.8p11
OS:
FreeBSD 12.0-p3
The IP addresses are obfuscated, I'll hope there are no fat-finger-failures
because of that
Tia for any hints pointing me into the right direction
Best regards
Philippe
More information about the questions
mailing list