Mailinglist Archive: opensuse (982 mails)

< Previous Next >
Re: [opensuse] ntp default restrict options - seems to block broadcastclient ?
On Wed, Sep 24, 2014 at 08:22:52AM +0200, Per Jessen wrote:
John Andersen wrote:

On 9/23/2014 10:23 AM, Per Jessen wrote:
The current openSUSE packaged NTP config contains the following:

restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

When they're enabled, ntp doesn't sync to my broadcast. Only when I
comment them out does it work.

Which one of "default kod notrap nomodify nopeer noquery" is
preventing my broadcast sync?


thanks
Per


Are you sure those are the only restrictions?
Some suggest you also need a line to allow management from locolhost
and specific server lines for it to query.

server ntp.ubuntu.com

restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

restrict 127.0.0.1
restrict ::1
restrict <some-ip-that-y0u-trust> <-------

Right, the complete set is:

restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1

Through trial&error I was able to determine that my broadcast worked
when I commented out the two top ones.

This will reenable the remote denial of service amplification possibility
against your machine if reachable from the outside world.

http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks

So make sure your ntp server is not reachable from outside your network if
you use this, or use more finegrained controls.

My client setup:

broadcastclient
disable auth

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups