[ntp:questions] NTP on small 100% Linux LAN : reasonable access control policy ?

Rob nomail at example.com
Wed Aug 4 07:40:40 UTC 2010


Danny Mayer <mayer at ntp.org> wrote:
> On 8/3/2010 3:25 AM, Rob wrote:
>> Danny Mayer <mayer at ntp.org> wrote:
>>>> Server : grossebertha, 192.168.1.252
>>>>
>>>> # /etc/ntp.conf
>>>>
>>>> driftfile /var/lib/ntp/drift
>>>> logfile /var/log/ntp.log
>>>>
>>>> server 0.fr.pool.ntp.org
>>>> server 1.fr.pool.ntp.org
>>>> server 2.fr.pool.ntp.org
>>>> server 3.fr.pool.ntp.org
>>>>
>>>> restrict default nomodify nopeer notrap
>>>> restrict default 127.0.0.1 mask 255.0.0.0
>> 
>> It should be: restrict 127.0.0.1 mask 255.0.0.0
>
> No, it should be restrict 127.0.0.1 mask 255.255.255.255 if you want to
> use a netmask here, something that is really unnecessary. The usual way
> is just to use restrict 127.0.0.1. refclocks aren't part of restrict
> statements even though they look like IPv4 addresses.

I already followed up that I wanted to point at the
"restrict default 127.0.0.1" and I just copied the line without the
word default which does not belong there.

>>>
>>> You also need to allow in the servers you specified above otherwise your
>>> server will never get any timesource synchronized.
>>>
>>> Danny
>> 
>> This is not correct.
>
> Yes it is. Even though the above configuration does not prevent the
> packets from coming in, if you use pool address names (FQDN) and are not
> careful with you will find that when it comes configuring the addresses
> in the restrict statements you don't know which ones it got back and
> each DNS name will likely result in a different IP address. The restrict
> source statement was implemented to deal with that issue.

It is not an issue in the above configuration.
The "restrict default nomodify nopeer notrap" has no impact on the
server traffic so there is no need for restrict statements for the
servers and thus no problem.




More information about the questions mailing list