[ntp:questions] NTP not syncing
Brian.Inglis at SystematicSw.ab.ca
Mon Nov 25 22:48:40 UTC 2013
On 2013-11-24 18:05, Antonio Marcheselli wrote:
>> 'restrict 192.168.1.10' sets a null restriction set for that address.
>> IOW it removes all restrictions.
> Thanks Steve.
> I had a look at the 'restrict' parameters; the line I have is
> restrict 18.104.22.168 mask 255.255.255.0 nomodify
As David implied earlier - if a bit is zero in the mask it must be zero in the address!
Mask is for unrestricting a subnet - in this case 22.214.171.124 => .0-.255.
If you want to change restrictions for a single address do not use any mask,
so it defaults to the mask 255.255.255.255 for a single address.
> which I understand prevents 126.96.36.199 from modifying the NTP configuration, is that correct?
You need to start by blocking everything:
restrict default kod limited nomodify notrap nopeer noquery
to block most stuff from most places, as the default is allow everything from everywhere,
restrict 0.0.0.0 mask 0.0.0.0 # notice no restrictions!!!
for other NTP servers add:
restrict name kod limited nomodify notrap
then allow the localhost to change anything:
restrict 127.0.0.1 # allow ipv4 localhost
restrict ::1 # allow ipv6 localhost6
and if you have other admin servers you can add similar statements with their DNS names.
I look forward to others correcting any bad assumptions I picked up from old releases. ;^>
Take care. Thanks, Brian Inglis
More information about the questions