Re: [ntp:questions] NTP on small 100% Linux LAN : reasonable access control policy ?

Mon, 02 Aug 2010 06:16:08 -0700 

Danny Mayer a écrit :


Unfortunately this USENET group is full of compulsive obsessive freaks
desparately trying to keep their system clocks as close as they can to
UTC. If they had the money they would buy atomic clocks, but since they
don't they join this group to commiserate with their fellow compulsives.
So you just joined a support group.



In short, I've just happened to ask "How's the weather, guys?" on a 
Harvard Congress Of Quantum Meteorology.




If you just want the servers/clients to supply time to an internal group
of systems, you can set up the restricts to allow access only to the
subnet but you must allow in the answers to external requests otherwise
they will get dropped. The recent addition of restrict source helps with
that.



I admit bluntly I'm trying to make sense out of a series of tutorials, 
HOWTOS and other receipts. What I do have here is a small LAN, a server 
and a bunch of clients, and I want the server to synchronize with some 
pool server, and then the machines on the LAN to synchronize with the 
local server, no more, no less. So far, I managed to do that. And now, 
well, out of some sort of common sense, I thought : OK, let's make this 
service available to those that need it, and close it down for everybody 
else, because after all, you never know. My security approach 
deliberately follows some private KISS (Keep It Simple, Stupid) principle.


I reworked my setup since yesterday, here's what I got :

Server : grossebertha, 192.168.1.252

# /etc/ntp.conf

driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log

server 0.fr.pool.ntp.org
server 1.fr.pool.ntp.org
server 2.fr.pool.ntp.org
server 3.fr.pool.ntp.org

restrict default nomodify nopeer notrap
restrict default 127.0.0.1 mask 255.0.0.0


Client, for example bernadette, 192.168.1.2

# /etc/ntp.conf

driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log

server 192.168.1.252

restrict default ignore
restrict 127.0.0.1 mask 255.0.0.0
restrict 192.168.1.252 mask 255.255.255.255



The german philosopher Lichtenberg (in fact, a physics teacher) once 
wrote : "One often has to write very long letters before one can 
actually write short letters." (Translation by me, hence the klutziness.)


Again, I'll be happy to learn from eventual mistakes.

Cheers from the cloudy South of France,

Niki


PS : indeed, my girlfriend loves me for other reasons than my desperate 
attempts at shutting myself out from my own NTP server :o)


_______________________________________________
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions

























					Reply via email to