[ntp:questions] restrict options

Steve Kostecke kostecke at ntp.isc.org
Mon Jul 11 16:26:39 UTC 2005


smb said:

>How can I configure ntp to ensure it only serves clients on my internal 
>network, whilst at the same time allowing it to sync with external 
>servers?  Here's my ntp.conf:
>
>restrict default noquery nomodify noserve

You should not be using 'noserve' or 'ignore', for that matter, unless
you are prepared to list every single authorized client host/subnet and
remote time server BY IP ADDRESS.

>restrict 127.0.0.1
>restrict 192.168.0.0 mask 255.255.255.0 nomodify
>server ntp0.pipex.net
>server ntp1.pipex.net
>server ntp2.pipex.net
>driftfile /etc/ntp.drift
>logfile /var/log/ntp.log

>I thought this should work, but my machine can't sync with the external
>servers.

Try this:

# Administrivia
driftfile /etc/ntp.drift
logfile /var/log/ntp.log

# Default Restriction
restrict default ignore

# Authorized Clients
restrict 127.0.0.1
restrict 192.168.0.0 mask 255.255.255.0 nomodify

# Remote Time Servers (and their restrict lines)
server ntp0.pipex.net
restrict 158.43.128.33
server ntp1.pipex.net
restrict 158.43.128.66
server ntp2.pipex.net
restrict 158.43.192.66

>It works just fine if I comment out the restrict lines. I have a
>firewall/router,

Please take a look at http://ntp.isc.org/Support/AccessRestrictions

>but I have forwarded port 123 UDP to my machine.

By doing this you have made it possible for 'outsiders' to directly
contact your internal ntpd.

Your internal ntpd should be able to contact remote time servers through
your firewall/router without port forwarding, as long as port 123/UDP
is not blocked.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project http://ntp.isc.org/
Public Key at http://ntp.isc.org/Users/SteveKostecke



More information about the questions mailing list