File: server-setup.md

package info (click to toggle)
rust-ntpd 1.6.2-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 2,904 kB
  • sloc: sh: 57; makefile: 28
file content (70 lines) | stat: -rw-r--r-- 2,753 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
# Setting up an NTP server

By default, ntpd-rs only acts as an NTP client, and doesn't serve time on any
network interface. To enable ntpd-rs as a server, the following can be added to
the configuration:
```toml
[[server]]
listen = "0.0.0.0:123"
```
This will cause ntpd-rs to listen on all network interfaces on UDP port 123 for
NTP client requests. If you only want to listen on a specific network
interface, change `0.0.0.0` to the IP address of that interface.

You can now configure a different machine to use your new server by adding to
its configuration:
```toml
[[source]]
mode = "server"
address = "<your server ip>:123"
```

## Limiting access
If you only want specific IP addresses to be able to access the server, you can
configure a list of allowed clients through the allowlist mechanism. For this,
edit the server configuration to look like:
```toml
[[server]]
listen = "0.0.0.0:123"
[server.allowlist]
filter = ["<allowed ipv4 1>/32", "<allowed ipv4 2>/32", "<allowed ipv6 1>/128"]
action = "ignore"
```
When configured this way, your server will only respond to the listed IP
addresses. The IP addresses are written in CIDR notation, which means you can
allow entire subnets at a time by specifying the size of the subnet instead of
the 32 or 128 after the slash. For example, `192.168.1.1/24` will allow any IP
address of the form `192.168.1.*`.

If you want to block certain IP addresses from accessing the server, you can
configure a list of blocked clients as follows:
```toml
[[server]]
listen = "0.0.0.0:123"
[server.denylist]
filter = ["<blocked ipv4 1>/32", "<blocked ipv4 2>/32", "<blocked ipv6 1>/128"]
action = "deny"
```
The deny list uses the same CIDR notion as the allow list, and can also be used
to block subnets. Connections from IP addresses contained in the deny list will
always be blocked, even if they also happen to be in the allow list.

The allow and deny list configurations are both optional in ntpd-rs. By
default, if a server is configured it will accept traffic from anywhere. When
configuring both allow and deny lists, ntpd-rs will first check if a remote is
on the deny list. Only if this is not the case will the allow list be
considered.

The `allowlist.action` and `denylist.action` properties can have two values:

- `ignore` silently ignores the request
- `deny` sends a deny kiss-o'-death packet

## Adding your server to the NTP pool

If your NTP server has a public IP address, you can consider making it
available as part of the [NTP pool](https://www.ntppool.org). Please note that
this can have significant long-term impact in terms of NTP traffic to that
particular IP address. Please read [the join instructions](https://www.ntppool.org/en/join.html)
carefully before joining the pool.