[ntp:questions] NTP on small 100% Linux LAN : reasonable access control policy ?

Danny Mayer mayer at ntp.org
Wed Aug 4 03:10:54 UTC 2010


On 8/3/2010 3:25 AM, Rob wrote:
> Danny Mayer <mayer at ntp.org> wrote:
>>> Server : grossebertha, 192.168.1.252
>>>
>>> # /etc/ntp.conf
>>>
>>> driftfile /var/lib/ntp/drift
>>> logfile /var/log/ntp.log
>>>
>>> server 0.fr.pool.ntp.org
>>> server 1.fr.pool.ntp.org
>>> server 2.fr.pool.ntp.org
>>> server 3.fr.pool.ntp.org
>>>
>>> restrict default nomodify nopeer notrap
>>> restrict default 127.0.0.1 mask 255.0.0.0
> 
> It should be: restrict 127.0.0.1 mask 255.0.0.0

No, it should be restrict 127.0.0.1 mask 255.255.255.255 if you want to
use a netmask here, something that is really unnecessary. The usual way
is just to use restrict 127.0.0.1. refclocks aren't part of restrict
statements even though they look like IPv4 addresses.

>>
>> You also need to allow in the servers you specified above otherwise your
>> server will never get any timesource synchronized.
>>
>> Danny
> 
> This is not correct.

Yes it is. Even though the above configuration does not prevent the
packets from coming in, if you use pool address names (FQDN) and are not
careful with you will find that when it comes configuring the addresses
in the restrict statements you don't know which ones it got back and
each DNS name will likely result in a different IP address. The restrict
source statement was implemented to deal with that issue.

Danny



More information about the questions mailing list