[ntp:questions] NTP not syncing

Brian Inglis Brian.Inglis at SystematicSw.ab.ca
Mon Nov 25 22:48:40 UTC 2013


On 2013-11-24 18:05, Antonio Marcheselli wrote:
>>
>> 'restrict 192.168.1.10' sets a null restriction set for that address.
>> IOW it removes all restrictions.
>
> Thanks Steve.
>
> I had a look at the 'restrict' parameters; the line I have is
>
> restrict 130.1.1.1 mask 255.255.255.0 nomodify

As David implied earlier - if a bit is zero in the mask it must be zero in the address!
Mask is for unrestricting a subnet - in this case 130.1.1.0 => .0-.255.
If you want to change restrictions for a single address do not use any mask,
so it defaults to the mask 255.255.255.255 for a single address.

> which I understand prevents 130.1.1.1 from modifying the NTP configuration, is that correct?

You need to start by blocking everything:
	restrict default kod limited nomodify notrap nopeer noquery
to block most stuff from most places, as the default is allow everything from everywhere,
equivalent to:
	restrict 0.0.0.0 mask 0.0.0.0	# notice no restrictions!!!
for other NTP servers add:
	restrict name kod limited nomodify notrap
then allow the localhost to change anything:
	restrict 127.0.0.1	# allow ipv4 localhost
	restrict ::1		# allow ipv6 localhost6
and if you have other admin servers you can add similar statements with their DNS names.

I look forward to others correcting any bad assumptions I picked up from old releases. ;^>
-- 
Take care. Thanks, Brian Inglis


More information about the questions mailing list