[ntp:questions] problem with pool directive?

Rob nomail at example.com
Tue Nov 11 09:12:24 UTC 2014


Harlan Stenn <stenn at ntp.org> wrote:
>> > Yes I have the now default "restrict" lines, to remedy the DDOS problem.
>> > There are no specific restrict lines for my other servers.
>> > Do I need a specific one for the pool directive?
>> 
>> For completeness:
>> 
>> restrict -4 default kod notrap nomodify nopeer noquery
>> restrict -6 default kod notrap nomodify nopeer noquery
>
> See http://doc.ntp.org/4.2.6p5/accopt.html (there is similar
> documentation for other versions of NTP).
>
> KOD does nothing without 'limited'.  And reading the docs about this and
> thinking about more bug reports I recall seeing I want to dig in to this
> deeper.  Regardless, this will not affect pool servers.

Note that the above restrict lines are in de default ntp.conf as
distributed by Debian.  I know the kod there does nothing, I have removed
it after I posted that and noticed it.  We have discussed before that this
is what you get when you don't include a ready-for-production example
ntp.conf in the source distribution, and let the individual distributors
construct one themselves.  Probably most Debian users have this useless
kod restrict item in their config (even with limited it is useless and
can only cause trouble).

> notrap prohibits mode 6 trap service - will not affect pool servers.
>
> nomodify prohibits others from modifying your server config - will not
> affect pool servers.
>
> nopeer denys unauthenticated packets that would mobilize an
> association.  This *should* not be an issue, but I have a recollection
> of a bug report...
>
> noquery prohibits ntpq/ntpdc queries - will not affect pool servers.
>
> So try adding:
>
>  restrict source notrap nomodify noquery
>
> and see if that helps.

My latest version of the ntp.conf file includes:

restrict -4 default notrap nomodify nopeer noquery
restrict -6 default notrap nomodify nopeer noquery
restrict source notrap nomodify noquery
restrict 127.0.0.1
restrict ::1

It now suddenly starts working.  I had a version with -4 and -6 lines
before and then it still did not work.  It was my impression thay you
always need separate restrict lines for IPv4 and IPv6 but apparently
this is not the case.

Anyway, the reason appears to be what is described in bug 2657.  There
indeed is a problem that makes pool fail in this version without
additional configuration not mentioned in the manpage.

There is now one remaining issue: this pool command has added 7 pool
servers.  That is a bit too much.  I already have two hardwired own
servers and only wanted to add maybe 2 pool members to have redundancy.
I would have expected a "members" option for the pool directive, but
there does not appear to be one.



More information about the questions mailing list