Link to home
Start Free TrialLog in
Avatar of David Piniella
David PiniellaFlag for United States of America

asked on

ntp.conf help restricting queries

I have a FreeBSD-6 server running ntp 4.2.0a and am having trouble configuring ntp.conf (restrict statements etc) correctly.

I want to prevent anyone from modifying my server time and I want to use 6 or 7 other servers as peers. Are my potential restrict lines for my internal networks (the commented lines below) correct?

I originally had my restrict default set to ignore but replaced it with "nomodify nopeer notrap" when client machines could not get the time from the server.


my current ntp.conf (have changed the dns names of my time source servers)
# more /etc/ntp.conf
restrict default nomodify nopeer notrap
restrict 127.0.0.1
#restrict 192.168.0.0 mask 255.255.0.0 notrust nomodify notrap
#restrict 172.20.0.0 mask 255.255.0.0 notrust nomodify notrap
#restrict 10.0.0.0 mask 255.255.0.0 notrust nomodify notrap
#restrict 10.2.0.0 mask 255.255.0.0 notrust nomodify notrap
server clock.myntp.tld prefer nomodify notrap noquery
server ntp.something.tld nomodify notrap noquery
multicastclient
restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
fudge   127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay  0.008
keys            /etc/ntp/keys


on a related note, all machines except win2k3 server have worked fine, but win2k3 server logs say "no suitable server found" (or something very like that), even though other machines (windows XP Pro, unix, linux, mac os x etc) all get the time ok from the server. Any ideas what I'm doing wrong there?
Avatar of David Piniella
David Piniella
Flag of United States of America image

ASKER

increasing points
This may not be the answer you're seeking, but it's definitely a workaround.  I've had *challenges* getting ntp configured on a slack box and learned this trick from a slack wizard.  All you have to do in your crontab is point it to a timeserver:

# Added to synch with local NTP server -
0 15 * * * /usr/sbin/ntpdate <ip_address_time_server>

You could synch it as often as you'd prefer this way as well.


my problem isn't synching my machine, it's getting my LAN machines to sync to my machine

ntpdate works dandy, and I can talk to other servers, but when I tell the win2k3 servers on my lan to get their time from my ntp....they can't.
ntpd on FreeBSd is broken, especially restrict does not work well.
in most cases ntpdate is enough unless you wish to serve time to clients

http://ntp.isc.org/bin/view/Main/DocumentationIndex

read thru three-part doc, i can post working ntp config if you need one.
I wouldn't mind a working config copy; I have read through the docs (there's one at us-webmaster.com that's great for ntp) and wound up installing from source since the port installs an unpatched version of ntp w/ a broken broadcastclient.

I am planning on serving time to clients and running my own ntp pool of servers. all my clients get time ok except win2k3 servers.
2003 has to be configured differently than XP, 2000 or NT4, your problems finding right doc.
found a doc ages ago that said the problem was the packet type 2k3 was sending; suggested sending a diff packet type (in the 2k3 CLI net time command) and that didn't help either....something about 2k3 sending packets as a peer instead of as a client.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept dpiniella http:#16446835

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

gheist
EE Cleanup Volunteer
I am punishing myself for not posting:
---
server xxx

driftfile /var/db/ntp.drift

restrict default ignore

restrict 192.168.0.0 mask 255.255.0.0 notrust nomodify notrap

restrict xxx noquery nomodify notrap

restrict 127.0.0.1

This particular setup (conf file below) would not let me sync my win2k3 server (on the 10.64./16 network) to my ntp server (public IP, same VLAN, same switch). I'm not running a firewall on the ntp host itself, and there isn't one on the windows host either (there is a hardware firewall between them both and the world at large though). I still don't know what to make of this.

I eventually solved my problem by making my server an open NTP server in the conf and blocking access via the firewall, but this is inelegant and less than ideal. I'll try your config tomorrow (I have to reboot the server _anyway_ and i want to see if I've set it up correctly for the services coming up on reboot).

would changing the fudge line change what strata my server reports itself as being?

root@ntp:[/etc%]# more ntp.conf
# Prohibit general access to this service.
restrict default nomodify nopeer notrap
# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 10.64.0.0 mask 255.255.255.0 notrust nomodify notrap

# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip
server ntp.myfloridacity.us
restrict ntp.myfloridaviry.us nomodify notrap noquery
server tick.navy.mil
restrict tick.navy.mil nomodify notrap noquery


# --- NTP MULTICASTCLIENT ---
multicastclient                        # listen on default 224.0.1.1
restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap



# --- GENERAL CONFIGURATION ---
#
fudge   127.127.1.0 stratum 10
# server 1.north-america.pool.ntp.org
# server 2.north-america.pool.ntp.org
# driftfile stuff
driftfile /var/lib/ntp/drift
broadcastdelay  0.008
# authenticate yes
# keys
keys            /etc/ntp/keys
ASKER CERTIFIED SOLUTION
Avatar of GranMod
GranMod

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial