On 2017-01-30 13:14, Antonio Marcheselli wrote:
> I am looking for some advice on the RESTRICT parameter.
> My configuration file has the following line in it:
> restrict 172.20.0.0 mask 255.255.0.0 notrust noquery nomodify nokod
> With the above, a server on 172.20.21.11 was unable to poll the time.
> I checked on a working configuration and found the below
> restrict 172.20.0.0/16 mask 255.255.0.0 notrust noquery nomodify nokod
> but I am concerned that the /16 bit is simply making the whole line
> void which would explain why it's then working.
> Basically, I need the 'nokod'. For umpteen reasons, I want the NTP
> server to never ban any client on the LAN. But I thought that a
> little restriction would be good practice too.
> Could you please tell me if the /16 is indeed required or whether I
> have just made the whole line void?
NTP does not yet support CIDR notation but requires a netmask which
defaults to 255.255.255.255 i.e. /32 individual host IP, and needs to
be specified for subnets, so /16 *is* invalid and your ntp log file,
syslog, daemon.log, or Windows application event log should show that:
you don't specify your platform or release.
What restrict supports and defaults to depends on release - check your
local release docs or below link (with current-stable replaced by
ntp-dev or your release e.g. 4.2.#p#) for supported keywords and
defaults:
http://doc.ntp.org/current-stable/accopt.html#restrict
and note that no- is not a generic prefix so nokod *is* invalid, but is
the default, unless you explicitly specify kod. You should read those
docs to understand what each option supported on your release does e.g.
notrust requires cryptographic authentication of servers
noquery disallows ntpq and ntpdc queries about state
General opinion is that kod and limited are of little use except with
real NTP clients which have rude poll settings, and no use with other
clients which do not recognize KoD packets, so best just allow them to
be ignored, rather than waste time and bandwidth tracking their queries
and sending them packets they will ignore or respond negatively to.
The private local subnet you specify 172.20.0.0/16 is a subset of the
IANA specified range which is normally:
restrict 172.16.0.0 mask 255.240.0.0 # /12
You should specify something like this for your management subnet so
that you can monitor the state of your servers.
If you want to query or modify your local servers and allow them to be
queried or modified from each other you may want to add this to each
local server.
If you want to disallow servers from being changed by each other,
you may want to specify:
restrict source nomodify notrap
if you have a recent release which supports source, otherwise you
will need to specify
restrict <server> nomodify notrap
for each upstream server you use.
If you want to disallow peering from those servers, add nopeer.
If you are trusting upstream servers for time, I see no reason to
be impolite and not allow peering or queries from those systems.
As a base, you probably want to specify:
restrict default ignore
and for older releases also:
restrict -6 default ignore
at the top of your config, to ensure anything not allowed is denied.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
_______________________________________________
questions mailing list
[email protected]
http://lists.ntp.org/listinfo/questions
