[ntp:questions] NTP on small 100% Linux LAN : reasonable access control policy ?

Niki Kovacs mickey at mouse.com
Mon Aug 2 13:09:49 UTC 2010


Danny Mayer a écrit :
> 
> Unfortunately this USENET group is full of compulsive obsessive freaks
> desparately trying to keep their system clocks as close as they can to
> UTC. If they had the money they would buy atomic clocks, but since they
> don't they join this group to commiserate with their fellow compulsives.
> So you just joined a support group.

In short, I've just happened to ask "How's the weather, guys?" on a 
Harvard Congress Of Quantum Meteorology.

> 
> If you just want the servers/clients to supply time to an internal group
> of systems, you can set up the restricts to allow access only to the
> subnet but you must allow in the answers to external requests otherwise
> they will get dropped. The recent addition of restrict source helps with
> that.

I admit bluntly I'm trying to make sense out of a series of tutorials, 
HOWTOS and other receipts. What I do have here is a small LAN, a server 
and a bunch of clients, and I want the server to synchronize with some 
pool server, and then the machines on the LAN to synchronize with the 
local server, no more, no less. So far, I managed to do that. And now, 
well, out of some sort of common sense, I thought : OK, let's make this 
service available to those that need it, and close it down for everybody 
else, because after all, you never know. My security approach 
deliberately follows some private KISS (Keep It Simple, Stupid) principle.

I reworked my setup since yesterday, here's what I got :

Server : grossebertha, 192.168.1.252

# /etc/ntp.conf

driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log

server 0.fr.pool.ntp.org
server 1.fr.pool.ntp.org
server 2.fr.pool.ntp.org
server 3.fr.pool.ntp.org

restrict default nomodify nopeer notrap
restrict default 127.0.0.1 mask 255.0.0.0


Client, for example bernadette, 192.168.1.2

# /etc/ntp.conf

driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log

server 192.168.1.252

restrict default ignore
restrict 127.0.0.1 mask 255.0.0.0
restrict 192.168.1.252 mask 255.255.255.255


The german philosopher Lichtenberg (in fact, a physics teacher) once 
wrote : "One often has to write very long letters before one can 
actually write short letters." (Translation by me, hence the klutziness.)

Again, I'll be happy to learn from eventual mistakes.

Cheers from the cloudy South of France,

Niki

PS : indeed, my girlfriend loves me for other reasons than my desperate 
attempts at shutting myself out from my own NTP server :o)




More information about the questions mailing list