[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
On Mon, 06 Jan 2014, Alan Barrett wrote:
On Mon, 06 Jan 2014, Erik Fair wrote:
Unless I misunderstand NTP configuration semantics, your additional
"restrict" statements for the NTP pool names will do the wrong
thing, in that each reference to a given netbsd.pool.ntp.org name
returns multiple IP addresses, in apparently random order, i.e. an
attempt to guarantee no two queries return the same data.
Ergo, those restrict statements will most probably not end up with
the same IP address as their preceding "server" statements, as was
presumably your intent.
Yes, you are correct. What should we do?
If you have "restrict default nopeer noquery" (the uncommented line in
my commit), then time service will still work, but the configured
servers will be denied query permission.
If you use "restrict default ignore", then time service does not work.
I propose to remove the commented-out "restrict default ignore",
remove the various "restrict *.netbsd.pool.ntp.org" lines,
and remove all mention of special "restrict" lines for each
peer or server, and change a few comments. That will leave the
restrict-related part of the default configuration like this:
# Access control restrictions.
# See /usr/share/doc/html/ntp/accopt.html for syntax.
# See <http://support.ntp.org/bin/view/Support/AccessRestrictions> for advice.
# Last match wins.
# Some of the more common keywords are:
# ignore Deny packets of all kinds.
# kod Send "kiss-o'-death" packets if clients exceed rate
# nomodify Deny attempts to modify the state of the server via
# ntpq or ntpdc queries.
# noquery Deny all ntpq and ntpdc queries. Does not affect time
# nopeer Prevent establishing new peer associations.
# Does not affect peers configured using "peer" lines.
# Does not affect client/server time synchronisation.
# noserve Deny all time synchronisation. Does not affect ntpq or
# ntpdc queries.
# notrap Deny the trap subset of the ntpdc control message protocol.
# notrust Deny packets that are not cryptographically authenticated.
# By default, allow client/server time exchange without prior
# arrangement, but deny configuration changes, queries, and peer
# associations that were not explicitly configured.
restrict default kod nopeer noquery
# Fewer restrictions for the local subnet.
# (Uncomment and adjust as appropriate.)
#restrict 192.0.2.0 mask 255.255.255.0 kod nomodify notrap nopeer
#restrict 2001:db8:: mask ffff:ffff:: kod nomodify notrap nopeer
# No restrictions for localhost.
Does that sound OK?
--apb (Alan Barrett)
Main Index |
Thread Index |