Harlan Stenn <st...@ntp.org> wrote: >> > Yes I have the now default "restrict" lines, to remedy the DDOS problem. >> > There are no specific restrict lines for my other servers. >> > Do I need a specific one for the pool directive? >> >> For completeness: >> >> restrict -4 default kod notrap nomodify nopeer noquery >> restrict -6 default kod notrap nomodify nopeer noquery > > See http://doc.ntp.org/4.2.6p5/accopt.html (there is similar > documentation for other versions of NTP). > > KOD does nothing without 'limited'. And reading the docs about this and > thinking about more bug reports I recall seeing I want to dig in to this > deeper. Regardless, this will not affect pool servers.
Note that the above restrict lines are in de default ntp.conf as distributed by Debian. I know the kod there does nothing, I have removed it after I posted that and noticed it. We have discussed before that this is what you get when you don't include a ready-for-production example ntp.conf in the source distribution, and let the individual distributors construct one themselves. Probably most Debian users have this useless kod restrict item in their config (even with limited it is useless and can only cause trouble). > notrap prohibits mode 6 trap service - will not affect pool servers. > > nomodify prohibits others from modifying your server config - will not > affect pool servers. > > nopeer denys unauthenticated packets that would mobilize an > association. This *should* not be an issue, but I have a recollection > of a bug report... > > noquery prohibits ntpq/ntpdc queries - will not affect pool servers. > > So try adding: > > restrict source notrap nomodify noquery > > and see if that helps. My latest version of the ntp.conf file includes: restrict -4 default notrap nomodify nopeer noquery restrict -6 default notrap nomodify nopeer noquery restrict source notrap nomodify noquery restrict 127.0.0.1 restrict ::1 It now suddenly starts working. I had a version with -4 and -6 lines before and then it still did not work. It was my impression thay you always need separate restrict lines for IPv4 and IPv6 but apparently this is not the case. Anyway, the reason appears to be what is described in bug 2657. There indeed is a problem that makes pool fail in this version without additional configuration not mentioned in the manpage. There is now one remaining issue: this pool command has added 7 pool servers. That is a bit too much. I already have two hardwired own servers and only wanted to add maybe 2 pool members to have redundancy. I would have expected a "members" option for the pool directive, but there does not appear to be one. _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions