[ntp:questions] Re: restrict in ntpdc

Steve Kostecke kostecke at ntp.isc.org
Wed Nov 3 14:40:22 UTC 2004


On 2004-11-03, Nagy Bela <belus at petra.hos.u-szeged.hu> wrote:
>
> First, thanks for your help.
>
>> Before you start setting your ntpd restrictions you need to consider a
>> few points...

Please take a moment to trim extraneous material from your posts...

<snip: 24 lines>

>> ...and ask yourself a few questions:
>>
>> 1. Are incoming connections to your ntpd blocked by NAT or a stateful
>> inspection firewall?
>
> No. I myself manage the firewall (netfilter) and the udp port 123 is
> allowed for both direction.

You should configure your firewall to only allow in packets in response
to internal requests. If you did so you wouldn't need _any_ restrict
statements at all and the rest of this discussion would be moot.

>> 2. If your ntpd is publically accessible, do you really need to block
>> all connections from unauthorized hosts?
>> 
> Yes, since this computer is connected to the net with a slow modem (56k)
> and for others it is more advantageous to use other ntp servers
> (with more accurate clock).

Most of the ntp pool servers operate at Stratum-2. This means that your
ntpd will, most likely, operate at Stratum-3. Most people will not use a
Stratum-3 time server even if they know that it exists. And, since you
have a dynamic IP address, the chances of someone locating your ntpd are
quite small.

>> 4. How much protection do you need from clients on your internal
>> network?
>
> I have no clients, only one computer on which ntpd is running.

Then you really don't need to bother with restrictions at all. But if
you insist on using some, use this:

restrict default kod nomodify notrap nopeer
restrict 127.0.0.1

And you won't have to struggle with restrict lines for your remote time
servers.

>> You _must_ use an IP address on the restrict line.
>> 
>> server x.y.z.w
>> restrict x.y.z.w
> (restrict with no other parameters?)

'restrict x.y.z.w' drops all restrictions for that IP address.

>> If you are using a dial-up you need to seriously reconsider your default
>> restrictions.

I can't stress this point strongly enough. You are making things much
more difficult than they need to be because of your insistence on using
"restrict default ignore" when it is not really necessary. Of course,
it's your system, YMMV, etc.

>> Your ntpd will sync to a remote time server in ~15.30 seconds if you
>> use the 'iburst' option on the server lines in your /etc/ntp.conf.
>
> I heard the using iburst without prior permission is highly
> unfriendly. And I dont have permissions.

"burst" is considered unfriendly because it causes _all_ of your NTP
packets to be sent in repetitive bursts to the remote time servers. 

"iburst" causes multiple packets to be sent only during the innitial
exchanges and is not considered to be unfriendly.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Support Project - http://ntp.isc.org/



More information about the questions mailing list