Re: ntp.conf access resctriction

From: per@xxxxxxxxxxxx (Per Hedeland)
Date: Thu, 17 Aug 2006 22:29:19 +0000 (UTC)

In article <slrnee8kq7.96r.this@xxxxxxxxxxxxxxxxxx> Lars Stokholm
<this@xxxxxxxxxx> writes:

On 2006-08-17, Lars Stokholm <this@xxxxxxxxxx> wrote:

restrict default noquery
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

That is allow time service from anyone, but allow only queries
from LAN. LAN is not allowed control though. Isn't that how it's
read?

It can't be, because it doesn't work. I had a friend try to run
'ntpdate -q MY_SERVER':

server MY_SERVER, stratum 3, offset 128.200857, delay 0.26935

17 Aug 13:22:47 ntpdate[25914]: step time server MY_SERVER offset 128.200857 sec

He's not on my LAN so it shouldn't. What's wrong?

Lots of things.:-) First, you're right that the "instead" in the
handbook should be deleted. However the handbook is still wrong, since
with that setup ("default ignore") you won't accept the responses to
your time requests sent to external servers, which makes your server
pretty useless - it won't sync to anything and hence can't keep time on
the local box, let alone serve it to others. (Well, if you obey the
"instead" it will work, but definitely not do what the handbook says it
will.)

I guess you figured that out too, since you replaced the "ignore" with
"noquery" - and then we can't blame the handbook anymore.:-) Your
problem now is that "noquery" doesn't mean what you think it does - from
the ntp.conf man page (thanks to the kind soul(s) who create the FreeBSD
man pages that the NTP reference implementation doesn't provide):

noquery
Ignore all NTP mode 6 and 7 packets (i.e., information
queries and configuration requests) from the source.
Time service is not affected.

I.e. this is not the time service "queries" that are made between NTP
servers to synchronize time, but the messages sent by 'ntpq' and 'ntpdc'
when talking to a NTP server.

I'm not 100% sure about the recipe to do what you *really* want, since
these 'restrict' options have pretty complex/obscure semantics, and at
least one of them ('notrust' IIRC) has changed semantics incompatibly
between NTP versions that I don't remember, and I actually think that
what you want is pretty pointless.:-) I.e. it doesn't really matter if
the world is allowed to use your server as time source - the world won't
bother doing that anyway, unless you at least announce its existence in
some relevant forum, *and* it has good "quality" (basically stratum 1 or
2).

You should probably be more worried about the world trying to *provide*
time to your server, which is quite possible even if your server didn't
ask for it, and which is something the wonderful people "out there" that
think causing damage is a great goal in itself might try. With that
viewpoint your current setup is pretty much OK - preventing the world
from doing the ntpq/ntpdc queries may make sense as general sanity
measure. To prevent the world from chaning the time on your box,
'notrust' would seem to be thing to add to the default line, but see
above - and of course you must then make exceptions for the external
servers you have configured. Hm, *maybe* 'nopeer' would do the trick.

If you really think you need more than what you already have, I would
suggest (what the handbook probably *should* have said):

restrict default ignore
restrict <server> 255.255.255.255 noquery # for each configured server
restrict 192.168.1.0 mask 255.255.255.0 noquery

The last line will per above prevent your LAN hosts from doing
ntpq/ntpdc queries, which is probably OK - you can of course use
'nomodify notrap' instead if you prefer to allow the read-only queries.

--Per Hedeland
per@xxxxxxxxxxxx

.

Follow-Ups:
- Re: ntp.conf access resctriction
  - From: Lars Stokholm

References:
- ntp.conf access resctriction
  - From: Lars Stokholm
- Re: ntp.conf access resctriction
  - From: Lars Stokholm
- Re: ntp.conf access resctriction
  - From: Lars Stokholm

Prev by Date: Re: Micron Netframe 6201 still no joy ...
Next by Date: Re: error with buildkernel
Previous by thread: Re: ntp.conf access resctriction
Next by thread: Re: ntp.conf access resctriction
Index(es):
- Date
- Thread

Relevant Pages

RE: Restrict WAN access
... I need to restrict access to the Terminal ... Server from outside the network for some users. ... LAN & WAN access to others. ...
(microsoft.public.windows.terminal_services)
RE: Restrict WAN access
... I need to restrict access to the Terminal ... Server from outside the network for some users. ... LAN & WAN access to others. ...
(microsoft.public.windows.terminal_services)
RE: Restrict WAN access
... company (LAN) everyone needs to access the TS server and they do every day. ... From outside (WAN) I need to make sure only some users can access it. ... I need to restrict access to the Terminal ...
(microsoft.public.windows.terminal_services)
RE: Restrict WAN access
... company (LAN) everyone needs to access the TS server and they do every day. ... I need to restrict access to the Terminal ... LAN & WAN access to others. ...
(microsoft.public.windows.terminal_services)
Re: clock too slow - big time offset with ntpdate
... You also should add 'iburst' to each server line in ntp.conf. ... ignore all ntp queries from ALL other hosts ... restrict 216.218.192.202 mask 255.255.255.255 ...
(freebsd-stable)