[ntp:questions] xntpd (NTPv3) "restrict" questions.

John DeDourek dedourek at unb.ca
Mon Jan 3 11:11:31 UTC 2005


Just a warning.  Pete Stephenson specifically asked about
ntp Version 3.0.  Most of what Brad Knowles wrote, I
believe, may be specific to version 4!

The comment that restrict requires IP addresses applies
to both versions.

At some point, the definition for "restrict notrust" was
modified.  Originally this was required to prevent peering.
Later, peering was limited to servers specifically
listed in "peer" lines and "notrust" became redundant.
Then later, notrust was reinstated, but with a new meaning,
as described by Knowles, to require cryptographic authentication.

I am doing this from memory.  But I believe that I was
successful in version 3 of ntp with something like:

restrict default notrust nomodify notrap

server a.b.c.d  # server a.b.c.d is 1.2.3.4
server e.f.g.h  # server e.f.g.h is 5.6.7.8

restrict 1.2.3.4 nomodify notrap
restrict 5.6.7.8 nomodify notrap
restrict 127.0.0.1  # was my own private workstation
                     # so I allowed ntpq and ntpdc to
                     # do anything from the local machine
                     # not advisable if you allow other
                     # users on the system, unless you
                     # have done all the necessary stuff
                     # with the keys file

I believe that this allows a.b.c.d and e.f.g.h to supply
time.  Anyone in the world to get time and query the
server.  Noone else (except the local machine itself, see
comment) to either supply time or to modify the configuration.

WARNING:  I am not an expert, so please confirm the above
before using.

NOTE:  You didn't say anything about a firewall.  Using
Linux with IPCHAINS when I was using ntp version 3, I also
had specific rules set in the firewall to control access
to the ntp server.  Specifically, I limited packets to
the ntp port (UDP 123) only from the local networks that
I wanted to access the time server, and any of the servers
that were listed that were not on these networks.  So,
the "whole world" stuff above was additionally restricted
by the firewall.



Pete Stephenson wrote:
> In article <mailman.3.1104686175.588.questions at lists.ntp.isc.org>,
>  Brad Knowles <brad at stop.mail-abuse.org> wrote:
> 
> 
>>	Your server will automatically be protected from people trying to 
>>modify the time on it unless you "peer" with them.  They may try to 
>>update your concept of time, but your server will ignore those 
>>packets unless it is explicitly told to look for them.
> 
> 
> Ah, excellent. That's precisely what I wanted to hear.
> 
> Thanks for the information.
> 




More information about the questions mailing list