# base ntpd restrict with pool servers



## kdemidofff (Jun 16, 2010)

What is the correct way to use restrict clause for the pool servers for the base ntpd

now it's skips all pool servers completely

ntpq -p


```
*ntp1.gbg.netnod .PPS.            1 u   45   64  377   90.005   35.606  42.515
+ntp1.mmo.netnod .PPS.            1 u   48   64  365   99.258   35.263  59.837
 gw-pirogovka.mi .INIT.          16 u    -   64    0    0.000    0.000   0.000
 nut.rsuitb.ru.8 .INIT.          16 u    -   64    0    0.000    0.000   0.000
 ntp.mechel-bank .INIT.          16 u    -   64    0    0.000    0.000   0.000
```

ntp.conf

```
restrict default ignore
restrict default ignore
restrict 127.0.0.1
restrict 192.36.133.17 nomodify nopeer noquery notrap
restrict 192.36.134.17 nomodify nopeer noquery notrap
restrict 0.freebsd.pool.ntp.org nomodify nopeer noquery notrap
restrict 1.freebsd.pool.ntp.org nomodify nopeer noquery notrap
restrict 2.freebsd.pool.ntp.org nomodify nopeer noquery notrap
```

thanks


----------



## hydra (Jun 17, 2010)

What restrictions do you want to apply ?


----------



## kdemidofff (Jun 20, 2010)

obviously i cant query any generic pool server


----------



## loop (Jun 21, 2010)

Well of course you can't, you told it not to peer with the pool servers:

From ntp.conf(5):

```
nopeer  Deny packets which would result in mobilizing a new asso-
	ciation.  This includes broadcast and symmetric active
	packets when a configured association does not exist.
```

Try a simple ntp.conf to begin with:

```
server freebsd.pool.ntp.org
driftfile /var/db/ntpd.drift
restrict default ignore
```

That will get peering going, with no other machines able to query your server (the restrict default ignore line).

Once you have peer associations, add a restrict line for your local network:

```
restrict <your subnet> mask <your subnet mask> notrust nomodify notrap
```

Read the Access Control section of the manpage for more info.


----------



## kdemidofff (Jun 21, 2010)

IMHO nopeer not related when ntp access other peers as client (opposed to full peer) its only for making ur ntpd as peer (server) for others

the problem is pool.ntp.org resolves to random server, that is ntpd has no way to associate it
when i specify IP address it works with nopeer

why then in default ntp.conf

```
#restrict default ignore
#restrict 0.pool.ntp.org nomodify nopeer noquery notrap
#restrict 1.pool.ntp.org nomodify nopeer noquery notrap
#restrict 2.pool.ntp.org nomodify nopeer noquery notrap
#restrict 127.0.0.1
#restrict -6 ::1
#restrict 127.127.1.0
```

that is after i specify IPs look IP address keyed directly in PPS state
so no way to pool*


```
ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 ntp1.gbg.netnod .PPS.            1 u    1   64    1  115.353    2.530   0.002
 ntp1.mmo.netnod .PPS.            1 u    1   64    1   80.564   16.431   0.002
 naos.promodev.r .INIT.          16 u    -   64    0    0.000    0.000   0.000
 gw.promodev.ru  .INIT.          16 u    -   64    0    0.000    0.000   0.002
 jane.telecom.mi .INIT.          16 u    -   64    0    0.000    0.000   0.002
```


----------



## loop (Jun 21, 2010)

The pool. addresses are a DNS round-robin (CNAME), which is why you can see them resolved to their A records in the output of `# ntpq -p`. 

I do suggest leaving the "restrict default ignore" entry uncommented in ntp.conf though


----------



## kdemidofff (Jun 24, 2010)

maybe restrict not working as intended with pool* servers?

yet another bug  ranging from nonsense time keeping without ntpd to memory management xD
but anyway its good that all get fixed


----------

