Page MenuHomePhabricator

allow-clients on NTP configuration
Closed, ResolvedPublic

Description

After configure ntp like

set system ntp allow-clients address <x.x.x.x/x>

ntpd allow all ip`s for synchronization time. For strong rules need add to /etc/ntp.conf string consist noquery notrust

restrict default nomodify notrap nopeer noquery notrust

but this require add restrict rules for servers which vyos syncing

# Server configuration for: 1.pool.ntp.org
server 217.196.145.42 iburst
...
restrict 217.196.145.42 mask 255.255.255.255 nomodify notrap

Restricts rules don`t allow domain. Any ideas about ntp allow-clients?

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Event Timeline

Dmitry triaged this task as Low priority.Mar 4 2019, 9:06 PM
Dmitry created this task.
Dmitry created this object in space S1 VyOS Public.
syncer assigned this task to hagbard.Mar 4 2019, 9:07 PM
syncer added a subscriber: syncer.

can you look into this please

hagbard changed the task status from Open to In progress.Mar 4 2019, 10:37 PM

Not too sure what I'm supposed to do here, I added noquery notrust, but everything else looks pretty good.

vyos@vyos# set system ntp allow-clients address 10.1.1.0/24
vyos@vyos# commit
vyos@vyos# sudo cat /etc/ntp.conf
[...]

Client configuration for network: 10.1.1.0/24

restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap nopeer

@Dmitry Can you please test: http://dev.packages.vyos.net/repositories/current/vyos/pool/main/v/vyos-1x/vyos-1x_1.3.0-4_all.deb

hagbard changed the task status from In progress to Needs testing.Mar 5 2019, 5:53 PM
Dmitry added a comment.EditedMar 7 2019, 6:33 AM

I`l try this package, but have problem with sync time on this vyos machine, because absent allow restriction for ntp server. State always INIT

root@vyos-rtr:~# ntpq -p -n
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 178.252.19.225  .INIT.          16 u    -   64    0    0.000    0.000   0.000

if I add to /etc/ntp.conf ip`s ntp server

restrict 178.252.19.225 mask 255.255.255.255 nomodify notrap

and restart ntpd, ntp was sync

root@vyos-rtr:~# ntpq -p -n
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*178.252.19.225  150.254.190.51   2 u   30   64    1   73.906    2.677   0.037

@Dmitry Oh ok, I didn't see the trees in the woods. Yeah, that needs to be fixed, I see that I can squeeze it in today.

hagbard changed the task status from Needs testing to In progress.Mar 7 2019, 6:00 PM
hagbard changed the task status from In progress to Needs testing.Mar 7 2019, 8:25 PM
Dmitry added a comment.EditedMar 8 2019, 12:27 PM

I think restrick option in ntp.conf not support domain name. After install new package

dimka@vyos-rtr# show
 allow-clients {
     address 192.168.5.0/24
 }
 listen-address 192.168.0.30
 server 1.pool.ntp.org {
 }
[edit system ntp]

ntp.conf consist next

dimka@vyos-rtr# cat /etc/ntp.conf 

### Autogenerated by ntp.py ###

#
# Non-configurable defaults
#
driftfile /var/lib/ntp/ntp.drift
# By default, only allow ntpd to query time sources, ignore any incoming requests
restrict default noquery nopeer notrap nomodify noquery notrust
# Local users have unrestricted access, allowing reconfiguration via ntpdc
restrict 127.0.0.1
restrict -6 ::1

#
# Configurable section
#

# Server configuration for: 1.pool.ntp.org
server 1.pool.ntp.org iburst 
# allow server sync
restrict 1.pool.ntp.org nomodify notrap



# Client configuration for network: 192.168.5.0/24
restrict 192.168.5.0 mask 255.255.255.0 nomodify notrap nopeer



# NTP should listen on configured addresses only
interface ignore wildcard
interface listen 192.168.0.30

one domain name resolve more than 1 ip

dimka@vyos-rtr# nslookup 1.pool.ntp.org
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	1.pool.ntp.org
Address: 46.175.224.7
Name:	1.pool.ntp.org
Address: 54.37.233.160
Name:	1.pool.ntp.org
Address: 91.233.70.230
Name:	1.pool.ntp.org
Address: 149.156.70.75

[edit system ntp]

Run ntpq -p and nspd INIT state and not sync

dimka@vyos-rtr# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 ntp2.aas.ru     .INIT.          16 u    -   64    0    0.000    0.000   0.000
[edit system ntp]

Interesting, it did work during my tests and my implementation was based on the offical ntp documentation.

http://doc.ntp.org/4.2.4/accopt.html#cmd:

restrict address [mask mask] [flag][...]
    [...]
    Alternatively, the address argument can be a valid host DNS name.

Are you sure you are blocking it not somewhere else?

Dmitry added a comment.EditedMar 8 2019, 5:30 PM

I don`t block. Problem exist if use pool of ntp servers like 3.pool.ntp.org. If use domain name with one A record, all work.

...
set system ntp allow-clients address '192.168.5.0/24'
set system ntp listen-address '192.168.0.30'
set system ntp server 3.pool.ntp.org
set system ntp server ntp-d.0x5e.se
...

dimka@vyos-rtr# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 main.krajany.vn .INIT.          16 u    -   64    0    0.000    0.000   0.000
*ntp-d.0x5e.se   232.6.188.111    2 u   39   64   37   48.633   -2.958   0.980
hagbard changed the task status from Needs testing to In progress.Mar 8 2019, 8:00 PM

Ok, I resolve the IP during config time and wite it into the file, please note that it will be only 1 of the pool IPs, so it should work for you.
Please test: https://github.com/hagbard-01/vyos-1x/releases/download/v1.0/vyos-1x_1.3.0-11_all.deb and let me know if that works for you.

hagbard changed the task status from In progress to Needs testing.Mar 8 2019, 8:57 PM
Dmitry added a comment.Mar 8 2019, 9:35 PM

Not work, ntp queries another ip from pool.

dimka@vyos-rtr# show
 allow-clients {
     address 192.168.5.0/24
 }
 listen-address 192.168.0.30
 server 3.pool.ntp.org {
 }
[edit system ntp]
dimka@vyos-rtr# ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 212.110.158.28  .INIT.          16 u    -   64    0    0.000    0.000   0.000
[edit system ntp]
dimka@vyos-rtr# cat /etc/ntp.conf 

### Autogenerated by ntp.py ###

#
# Non-configurable defaults
#
driftfile /var/lib/ntp/ntp.drift
# By default, only allow ntpd to query time sources, ignore any incoming requests
restrict default noquery nopeer notrap nomodify noquery notrust
# Local users have unrestricted access, allowing reconfiguration via ntpdc
restrict 127.0.0.1
restrict -6 ::1

#
# Configurable section
#

# Server configuration for: 3.pool.ntp.org
server 3.pool.ntp.org iburst 
# allow upstream sync
#restrict 3.pool.ntp.org nomodify notrap
restrict 85.21.78.23 mask 255.255.255.255 nomodify notrap




# Client configuration for network: 192.168.5.0/24
restrict 192.168.5.0 mask 255.255.255.0 nomodify notrap nopeer



# NTP should listen on configured addresses only
interface ignore wildcard
interface listen 192.168.0.30

[edit system ntp]
pasik added a subscriber: pasik.Mar 8 2019, 10:18 PM

That's what I thought. Thanks for testing it.

I'm going to revert the for default restrict

hagbard closed this task as Resolved.Mar 8 2019, 11:25 PM

Revert to the original config, since the tighter default restrictions make trouble with pooled addresses.
http://dev.packages.vyos.net/repositories/current/vyos/pool/main/v/vyos-1x/vyos-1x_1.3.0-12_all.deb

@hagbard we should remove that function if it can't work as intended or we need explicitly state this
alternatively, we can do special chain to control that

@syncer The requested feature wasn't working as it should, already removed it. The current implementation is and was working as expected.