On Fri, Jul 30, 2010 at 07:11 UTC, J. Bakshi <[email protected]> wrote: > I like to secure my ntp daemon with "restrict default ignore"
You didn't ask, but my personal opinion is that is usually overkill and just causes more pain than it's worth. I use "restrict default limited kod notrap". > but ntp stops synchronizing with this configuration; though I have restrict > lines for ntp servers. Yes, but your 'servers' are *.pool.ntp.org, which DNS names resolve to a different handful of servers every few minutes. You don't mention which version of ntpd, but I'll bet it is not recent enough to add a restriction for each of several IP addresses a DNS name resolves to. Instead, I suspect it is using only a single IP address for each "restrict" line in ntp.conf. "ntpdc -c reslist" displays the resulting restriction list. Since running up-to-date ntpd is heresy to most, I'll first assume you want to make it work with the version of ntpd you have already. One way is to switch from using *.pool.ntp.org to hand-selected servers, perhaps from: http://support.ntp.org/bin/view/Servers/StratumTwoTimeServers Newer ntp-dev releases of ntpd (4.2.7p22 and beyond) have been enhanced with this specific problem in mind, adding a "restrict source" directive to configure blanket restrictions for servers listed in "server", "pool", "manycastclient", and other directives which configure associations. If you were to jump to the bleeding edge, you could replace all your per-server restrict lines with a single "restrict source notrap noquery". If you do try ntp-dev, you might also kick the tires of the reworked "pool" directive, by using it in place of "server" for *.pool.ntp.org lines. Cheers, Dave Hart _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
