Source-Changes-D archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]


On Mon, 06 Jan 2014, Alan Barrett wrote:
On Mon, 06 Jan 2014, Erik Fair wrote:
Unless I misunderstand NTP configuration semantics, your additional "restrict" statements for the NTP pool names will do the wrong thing, in that each reference to a given name returns multiple IP addresses, in apparently random order, i.e. an attempt to guarantee no two queries return the same data.

Ergo, those restrict statements will most probably not end up with the same IP address as their preceding "server" statements, as was presumably your intent.

Yes, you are correct.  What should we do?

If you have "restrict default nopeer noquery" (the uncommented line in my commit), then time service will still work, but the configured servers will be denied query permission.

If you use "restrict default ignore", then time service does not work.

I propose to remove the commented-out "restrict default ignore", remove the various "restrict *" lines, and remove all mention of special "restrict" lines for each peer or server, and change a few comments. That will leave the restrict-related part of the default configuration like this:

# Access control restrictions.
# See /usr/share/doc/html/ntp/accopt.html for syntax.
# See <> for advice.
# Last match wins.
# Some of the more common keywords are:
#   ignore      Deny packets of all kinds.
#   kod         Send "kiss-o'-death" packets if clients exceed rate
#               limits.
#   nomodify    Deny attempts to modify the state of the server via
#               ntpq or ntpdc queries.
#   noquery     Deny all ntpq and ntpdc queries.  Does not affect time
#               synchronisation.
#   nopeer      Prevent establishing new peer associations.
#               Does not affect peers configured using "peer" lines.
#               Does not affect client/server time synchronisation.
#   noserve     Deny all time synchronisation.  Does not affect ntpq or
#               ntpdc queries.
#   notrap      Deny the trap subset of the ntpdc control message protocol.
#   notrust     Deny packets that are not cryptographically authenticated.
# By default, allow client/server time exchange without prior
# arrangement, but deny configuration changes, queries, and peer
# associations that were not explicitly configured.
restrict default kod nopeer noquery

# Fewer restrictions for the local subnet.
# (Uncomment and adjust as appropriate.)
#restrict mask kod nomodify notrap nopeer
#restrict 2001:db8:: mask ffff:ffff::  kod nomodify notrap nopeer

# No restrictions for localhost.
restrict ::1

Does that sound OK?

--apb (Alan Barrett)

Home | Main Index | Thread Index | Old Index