[ntp:questions] NTP on small 100% Linux LAN : reasonable access control policy ?

Danny Mayer mayer at ntp.org
Tue Aug 3 02:29:21 UTC 2010


On 8/2/2010 9:09 AM, Niki Kovacs wrote:
> Danny Mayer a écrit :
>>
>> Unfortunately this USENET group is full of compulsive obsessive freaks
>> desparately trying to keep their system clocks as close as they can to
>> UTC. If they had the money they would buy atomic clocks, but since they
>> don't they join this group to commiserate with their fellow compulsives.
>> So you just joined a support group.
> 
> In short, I've just happened to ask "How's the weather, guys?" on a
> Harvard Congress Of Quantum Meteorology.

All answers here follow the Heisenberg Uncertainty Principle. In other
words the questioner is uncertain as to whether or not the answer has
any value or meaning.

>>
>> If you just want the servers/clients to supply time to an internal group
>> of systems, you can set up the restricts to allow access only to the
>> subnet but you must allow in the answers to external requests otherwise
>> they will get dropped. The recent addition of restrict source helps with
>> that.
> 
> I admit bluntly I'm trying to make sense out of a series of tutorials,
> HOWTOS and other receipts. What I do have here is a small LAN, a server
> and a bunch of clients, and I want the server to synchronize with some
> pool server, and then the machines on the LAN to synchronize with the
> local server, no more, no less. So far, I managed to do that. And now,
> well, out of some sort of common sense, I thought : OK, let's make this
> service available to those that need it, and close it down for everybody
> else, because after all, you never know. My security approach
> deliberately follows some private KISS (Keep It Simple, Stupid) principle.
> 

I suggest you visit to the following support page:
http://support.ntp.org/bin/view/Support/AccessRestrictions which should
help you a great deal in understand how to configure all those restrict
statements, and impress your girlfriend as well! There's a wealth of
information in the support pages.

> I reworked my setup since yesterday, here's what I got :
> 
> Server : grossebertha, 192.168.1.252
> 
> # /etc/ntp.conf
> 
> driftfile /var/lib/ntp/drift
> logfile /var/log/ntp.log
> 
> server 0.fr.pool.ntp.org
> server 1.fr.pool.ntp.org
> server 2.fr.pool.ntp.org
> server 3.fr.pool.ntp.org
> 
> restrict default nomodify nopeer notrap
> restrict default 127.0.0.1 mask 255.0.0.0
> 

You also need to allow in the servers you specified above otherwise your
server will never get any timesource synchronized.

Danny
> 
> Client, for example bernadette, 192.168.1.2
> 
> # /etc/ntp.conf
> 
> driftfile /var/lib/ntp/drift
> logfile /var/log/ntp.log
> 
> server 192.168.1.252
> 
> restrict default ignore
> restrict 127.0.0.1 mask 255.0.0.0
> restrict 192.168.1.252 mask 255.255.255.255
> 
> 
> The german philosopher Lichtenberg (in fact, a physics teacher) once
> wrote : "One often has to write very long letters before one can
> actually write short letters." (Translation by me, hence the klutziness.)
> 
> Again, I'll be happy to learn from eventual mistakes.
> 
> Cheers from the cloudy South of France,
> 
> Niki
> 
> PS : indeed, my girlfriend loves me for other reasons than my desperate
> attempts at shutting myself out from my own NTP server :o)





More information about the questions mailing list