On 10 Feb 2014 at 9:14, Scott Baker wrote: > What's the best way to lockdown NTP on a Linux box (not in the pool). I > don't want anyone to be able to query it, except my trusted subnet. And > obviously it needs to fetch time from the pool. I have the following: > > # Ignore everything > restrict default ignore > restrict -6 default ignore > > # Allow local trusted nets > restrict x.x.x.x mask 255.255.255.0 > restrict y.y.y.y mask 255.255.255.0 > restrict 127.0.0.1 > restrict -6 ::1 > > driftfile /var/lib/ntp/drift > > # Use public servers from the pool.ntp.org project. > # Please consider joining the pool (http://www.pool.ntp.org/join.html). > server 0.centos.pool.ntp.org > server 1.centos.pool.ntp.org > server 2.centos.pool.ntp.org > > This looks like it blocks the server's ability to talk outbound to its > upstream servers?
I had similar rules for many years but after both my firewall and modem failed I was not able to connect to many sites with my new setup. I'd had IPv6 enabled via tunnel to my isp and the replacement modem didn't pass tunneled IPv6. I now have "server -4" until I get around to getting IPv6 working again. David > > :ntpq -pn > remote refid st t when poll reach delay offset > jitter > ============================================================================== > 195.222.33.219 .INIT. 16 u - 64 0 0.000 0.000 > 0.000 > 149.20.68.17 .INIT. 16 u - 64 0 0.000 0.000 > 0.000 > 62.237.86.234 .INIT. 16 u - 64 0 0.000 0.000 > 0.000 > > -- > Scott Baker - Canby Telcom > System Administrator - RHCE - 503.266.8253 > > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool -- David Lord <[email protected]> <ftp://ftp.lordynet.org/pub/pgpkeys/[email protected]> <http://www.lordynet.org/pub/pgpkeys/[email protected]> _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
