[ntp:questions] Re: noserve restrict option

David L. Mills mills at udel.edu
Tue Oct 12 03:10:21 UTC 2004


Robert,

The access control stuff probably needs some work. It hasn't been 
thoroughly revisited for over a dozen years. What you want is an option 
that says listen to the packets returned in response to the ones you 
send and no other. In particular, you want not to return rogue packets 
sent by others. It might not be too hard to fold this option in the 
current mechanism, for instance by discarding all but server mode 
packets matching the last originate timestamp sent.

Dave

Robert Rati wrote:

> I'm trying to keep the system as secure as possible, and 
> unfinger-printable remotely.  I didn't decide that noserve was an option 
> needed, I'm just performing a package upgrade. :)  That being said, my 
> reading of the documentation indicated that noserve would prevent time 
> packets and thus defeat the purpose of the ntp daemon, but I wanted to 
> make sure.
> 
> As for the maxpoll, this system is working in an environment that has 
> restrictions on how often the clients can poll the servers so it is 
> unfortunately required.
> 
> Thanks for the clairification on the noserve option.  However, what I 
> don't understand is why this same config worked on version 4.1 but 
> doesn't work (apparantly correctly) on 4.2.  Any ideas?
> 
> Rob
> 
> Steve Kostecke wrote:
> 
>> On 2004-10-05, Robert Rati <Robert.Rati at motorola.com> wrote:
>>
>>
>>> I'm attempting to secure an NTP client setup and have recently 
>>> upgraded from 4.1 to 4.2 but one of the options I used in 4.1 appears 
>>> to work differently in 4.2.  Basically, I restrict clients with the 
>>> default:
>>>
>>> restrict default ignore
>>>
>>> For each time server I have:
>>>
>>> restrict <ip-addr> noquery noserve
>>
>>
>>
>> Noserve blocks time packets. This means that you won't be able to get
>> the time from that server because you can't send time packets to it.
>>
>> Why do you think that you need noserve in this situation?
>>
>>> server <ip-addr> maxpoll 12 version 3
>>
>>
>>
>> You're better off not overriding ntpd's min/maxpoll settings unless you
>> find yourself in a situation where you absolutely have to do it.
>>




More information about the questions mailing list