[ntp:questions] NTP on small 100% Linux LAN : reasonable access control policy ?
mickey at mouse.com
Mon Aug 2 13:09:49 UTC 2010
Danny Mayer a écrit :
> Unfortunately this USENET group is full of compulsive obsessive freaks
> desparately trying to keep their system clocks as close as they can to
> UTC. If they had the money they would buy atomic clocks, but since they
> don't they join this group to commiserate with their fellow compulsives.
> So you just joined a support group.
In short, I've just happened to ask "How's the weather, guys?" on a
Harvard Congress Of Quantum Meteorology.
> If you just want the servers/clients to supply time to an internal group
> of systems, you can set up the restricts to allow access only to the
> subnet but you must allow in the answers to external requests otherwise
> they will get dropped. The recent addition of restrict source helps with
I admit bluntly I'm trying to make sense out of a series of tutorials,
HOWTOS and other receipts. What I do have here is a small LAN, a server
and a bunch of clients, and I want the server to synchronize with some
pool server, and then the machines on the LAN to synchronize with the
local server, no more, no less. So far, I managed to do that. And now,
well, out of some sort of common sense, I thought : OK, let's make this
service available to those that need it, and close it down for everybody
else, because after all, you never know. My security approach
deliberately follows some private KISS (Keep It Simple, Stupid) principle.
I reworked my setup since yesterday, here's what I got :
Server : grossebertha, 192.168.1.252
restrict default nomodify nopeer notrap
restrict default 127.0.0.1 mask 255.0.0.0
Client, for example bernadette, 192.168.1.2
restrict default ignore
restrict 127.0.0.1 mask 255.0.0.0
restrict 192.168.1.252 mask 255.255.255.255
The german philosopher Lichtenberg (in fact, a physics teacher) once
wrote : "One often has to write very long letters before one can
actually write short letters." (Translation by me, hence the klutziness.)
Again, I'll be happy to learn from eventual mistakes.
Cheers from the cloudy South of France,
PS : indeed, my girlfriend loves me for other reasons than my desperate
attempts at shutting myself out from my own NTP server :o)
More information about the questions