untherstand NTP ACLs

I’m trying to configure NTP server. It is working but working is not enough i think. :wink: It is good to have some security introduced, so I try to understand how can I restrict that server. I found that handbook:
Clock Synchronization with NTP
It is for FreeBSD but I think that NTP have to behave the same there.

There is:

restrict default ignore

Note: This will also prevent access from your server to any servers listed in your local configuration. If you need to synchronise your NTP server with an external NTP server you should allow the specific server. See the ntp.conf(5) manual for more information.

So I tried to use:

restrict default ignore

in my cfg file and server can connect to other server using command

rcntp ntptimeset

Why it is possible? Isn’t command restrict default ignore restricting that?

I can’t also understand why when I add that to cfg:

restrict mask noquery

network can query NTP server.

May by that are stupid question but I can’t find easy answers how ACLs in NTP are working. If order is important…
I just want to create very easy ACL - permit local NTP server to ask one external server about time and permit local network to ask local server about time.

Thank you in advance!

I try to understand what you wrote, but imho I am missing information. Or this may be much beyond my (basic) NTPP knowledge.

E.g. when your citation says “This will also prevent access from your server to any servers listed in your local configuration”. You do not tell how you interprete this, I guess they mean with “your server to any servers” to say “your server, acting as a client, to any servers”. And what is the meaning of “local configuration” Is there an other one?

You mentioning ntptimesetin a command is not very illustrating because we do not know what the IP address is and thus not if it is in your LAN or not.

While it looks logical to me that you want to restrict service requests to your local LAN, I guess that

restrict mask

would do that. As the man page says:

Deny ntpq(8) and ntpdc(8) queries. Time service is not

I guess that any system in can still sync time with your server. Or do I misineterprete here?

OK! Let’s focus first on that:

server 1.pool.ntp.org
restrict default ignore

That is from my ntp.cfg file. And I can do:

# rcntp ntptimeset
 4 Nov 17:32:18 sntp[7815]: Started sntp
2011-11-04 17:32:18.115542 (-0100) -0.015233 +/- 0.047501 secs
2011-11-04 17:32:18.150776 (-0100) +0.004910 +/- 0.017456 secs
2011-11-04 17:32:18.207153 (-0100) +0.010290 +/- 0.008636 secs
Time synchronized with  1.pool.ntp.org

Why? Why it is possible when default is to ignore everything?

BTW. Local means in local network.

IMHO because you configured your NTP client to use 1.pool.ntp.org to use as a server. Which it dully does.

And you configured your NTP server to ignore clients, but you did not test that using a client.

Again imho NTP server and NTP client, while being located in the same system and even being executed by the same program (ntpd) are different things with their own configuration.

OK! Now I get it! restrict is only for clients! :slight_smile:

Of course, what is the use of restricting your servers, when you do not want to use them, don’t use them. And let them do the restrictions.

I though like that because of that:

This will also prevent access from your server to any servers listed in your local configuration

Now I have:

restrict default ignore
restrict mask

Thank you very much! :slight_smile:

Only one more question :wink: If I use noquery, clients from network can still ask server about time.

restrict default ignore
restrict mask noquery

Why it is possible? Isn’t ntptimeset using standard qieries - ntpq?

As you wrote

Deny ntpq(8) and ntpdc(8) queries. Time service is not

What does it mean “Time service is not affected”?

You are welcome.

I allready hinted at that info being a bit ununderstandable to me.

What you have now seems reasonable to me. And when it works as you intends then we do even understand it correctly :slight_smile:

I discovered that ntptimeset is something different than ntpq. In example “ntpq readlist” is not working when I use noquery.

So I think that the best security from NTP I can get (for user hosts time requests) is when I use:

restrict mask noquery nomodify nopeer