On 2016-12-31 01:09, Brian Inglis wrote: > On 2016-12-30 16:32, Ask Bjørn Hansen wrote: >> On Tuesday, September 6, 2016 at 1:41:10 AM UTC-7, Miroslav Lichvar wrote: >>> On 2016-09-05, a...@ntppool.org <a...@ntppool.org> wrote: >>>> My draft has the following as the recommendation for someone >>>> using the pool (on 4.2.8 or later): >>>> driftfile /var/lib/ntp/ntp.drift >>>> restrict default kod nomodify notrap nopeer noquery >>>> restrict -6 default kod nomodify notrap nopeer noquery >>> I think this line shouldn't be necessary as restrict default >>> specified without -4 and -6 should apply to both. >> Ok, thank you. Is that the case for older versions of ntpd, too? >> There's obviously a bit of cargo cult going on here, I appreciate >> the help getting to an actual best practices recommendation. :-/ >> For Martin's comment about kod and limited: >> I'm not sure if 'limited' works on a reasonably busy NTP server >> (hundreds to a few thousand queries a second) and I don't think >> anyone has shown that KoD packets does something useful for a >> meaningful number of the "bad clients", so I should probably just >> take 'kod' out. > Works with typical bad clients but most ignore KoD packets anyway so > just avoid the MRU list overhead and sending KoD - see > http://doc.ntp.org/current-stable/rate.html for how it works. >>>> restrict source notrap nomodify noquery > restrict source added with pool in 4.2.7p22 2010/04/02, > docs updated in 4.2.7p24 2010/04/13. >>>> restrict 127.0.0.1 >>>> restrict -6 ::1 >>>> >>>> pool 0.pool.ntp.org > Add preempt to pool statements to drop unselected servers and > acquire new servers to maintain a majority clique - see below. >>> How many servers should the client use at the same time? The >>> default value of tos maxclock is 10, so it would use 10 servers. >>> That seems a bit excessive. If it should be equivalent to the >>> current recommendation, the config would need to include >>> tos maxclock 4 > Keep it odd - tos maxclock 5 - for sync, majority clique requires > truechimers *>* falsetickers - truechimers == falsetickers is > *unsynced* - 5 allows 2 servers "off" in some way at the same time > (e.g. during weekend maintenance windows when servers often drop out > - YMMV) see http://doc.ntp.org/current-stable/select.html . >>> Also, how about adding the iburst option? Considering that a >>> significant part of NTP traffic is from ntpdate (which sends >>> four packets in 2s interval) and that most Linux distributions >>> seem to use iburst in their default ntp.conf, I think it could >>> be recommended to everyone. >> Hmm, I could get convinced of that. > Also add iburst to pool statements. > And only use minpoll and/or maxpoll on local ref clocks.
May also want to unrestrict all LAN addresses - safe for small home or business LANs, not for e.g. campus situations - or add but comment out? restrict 10.0.0.0 mask 255.0.0.0 # private net allow all packets restrict 172.16.0.0 mask 255.240.0.0 # private net allow all packets restrict 192.168.0.0 mask 255.255.0.0 # private net allow all packets -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
