[ntp:questions] restrict source available from which version?
Brian Inglis
Brian.Inglis at SystematicSw.ab.ca
Sat Dec 31 08:09:46 UTC 2016
On 2016-12-30 16:32, Ask Bjørn Hansen wrote:
> On Tuesday, September 6, 2016 at 1:41:10 AM UTC-7, Miroslav Lichvar wrote:
>> On 2016-09-05, ask at ntppool.org <ask at ntppool.org> wrote:
>>> My draft has the following as the recommendation for someone using the
>>> pool (on 4.2.8 or later):
>>> driftfile /var/lib/ntp/ntp.drift
>>> restrict default kod nomodify notrap nopeer noquery
>>> restrict -6 default kod nomodify notrap nopeer noquery
>> I think this line shouldn't be necessary as restrict default specified
>> without -4 and -6 should apply to both.
> Ok, thank you. Is that the case for older versions of ntpd, too?
> There's obviously a bit of cargo cult going on here, I appreciate the
> help getting to an actual best practices recommendation. :-/
> For Martin's comment about kod and limited:
> I'm not sure if 'limited' works on a reasonably busy NTP server
> (hundreds to a few thousand queries a second) and I don't think
> anyone has shown that KoD packets does something useful for a
> meaningful number of the "bad clients", so I should probably just
> take 'kod' out.
Works with typical bad clients but most ignore KoD packets anyway
so just avoid the MRU list overhead and sending KoD - see
http://doc.ntp.org/current-stable/rate.html for how it works.
>>> restrict source notrap nomodify noquery
restrict source added with pool in 4.2.7p22 2010/04/02,
docs updated in 4.2.7p24 2010/04/13.
>>> restrict 127.0.0.1
>>> restrict -6 ::1
>>>
>>> pool 0.pool.ntp.org
Add preempt to pool statements to drop unselected servers and
acquire new servers to maintain a majority clique - see below.
>> How many servers should the client use at the same time? The
>> default value of tos maxclock is 10, so it would use 10 servers.
>> That seems a bit excessive. If it should be equivalent to the
>> current recommendation, the config would need to include
>>
>> tos maxclock 4
Keep it odd - tos maxclock 5 - for sync, majority clique requires
truechimers *>* falsetickers - truechimers == falsetickers is
*unsynced* - 5 allows 2 servers "off" in some way at the same time
(e.g. during weekend maintenance windows when servers often drop
out - YMMV) see http://doc.ntp.org/current-stable/select.html .
>> Also, how about adding the iburst option? Considering that a
>> significant part of NTP traffic is from ntpdate (which sends four
>> packets in 2s interval) and that most Linux distributions seem to
>> use iburst in their default ntp.conf, I think it could be
>> recommended to everyone.
>
> Hmm, I could get convinced of that.
Also add iburst to pool statements.
And only use minpoll and/or maxpoll on local ref clocks.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
More information about the questions
mailing list