Understanding configuration of NTP server

Question

I opened /etc/ntp.conf file. I have the following entries:

server 0.centos.pool.ntp.org
restrict  0.centos.pool.ntp.org mask 255.255.255.255

I am not sure what mask 255.255.255.255 is doing exactly? I read some posts (post) around but still not sure what it means?

Answer 1

The server option defines a remote NTP server with which your local NTP server will establish a connection.

The restrict option controls how other hosts can interact with your local NTP daemon. It effects both hosts to which your server initiates connections, via the server option, and also hosts which attempt to initiate connections with your server.

The basic syntax of the command is:

restrict address [mask mask] [ippeerlimit int] [flag ...]

The flag argument is used to limit the ways in which a remote host can interact with your local server; an entry with no flag setting means the named host(s) have full access.

To understand the mask setting, it helps to read the Access control commands of the ntpd.conf man page:

The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in dotted-quad form defaults to 255.255.255.255, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0) is always included and is always the first entry in the list. Note that text string default, with no mask option, may be used to indicate the default entry.

And earlier in the same document:

A match occurs when the bitwise AND of the mask and the packet source address is equal to the bitwise AND of the mask and address in the list.

So if you have:

restrict 192.168.1.0 mask 255.255.255.0

Then the "bitwise AND of the mask and the packet source" for anything in the 192.168.1.0/24 network will be 192.168.1.0, so all hosts in that network will match. On the other hand, if you have:

restrict 192.168.1.0 mask 255.255.255.252

Then only hosts 192.168.1.0 through 192.168.1.3 will match.

When applied to a hostname, as you show in your example, the name is first converted to an address and then the mask is applied. I would argue that in most cases it doesn't make sense to use a mask other than 255.255.255.255 when using a hostname, and since that's the default mask you could write instead:

restrict 0.centos.pool.ntp.org

The configuration you have means "connect to 0.centos.pool.ntp.org and allow it to be used as a source of time synchronization".

---

Regarding your comments:

What do you mean by "Then only hosts 192.168.1.0 through 192.168.1.3 will match." please? You mean they will connect with each other. In other words, my NTP server will try to reach all hosts in range 192.168.1.0 through 192.168.1.3 for time query?

No. The restrict option does not control to which hosts your local NTP server will attempt to connect; this is what the server option is for. The restrict option controls what information your NTP server is willing to exchange once a connection is established -- either by your server initiating a connection to a remote server, or by a remote server initiating a connection to your server.

Also second question please, so mask 255.255.255.255 will allow only one host, which is 0.centos.pool.ntp.org to connect to my NTP daemon? If yes why is that given that if we apply AND between IP address of 0.centos.pool.ntp.org (I understand we have to convert to to numerical IP) and 255.255.255.255 it will give us 0.centos.pool.ntp.org?

I'm not sure I follow this question. If you and an address with 255.255.255.255, you get the original address. That means that only the specific address given as the first argument to restrict will match.

As I said in the earlier part of my answer, I don't think it makes much sense to make use of the mask parameter when specifying a host by name, since you will typically always want the default behavior (only match what is specified explicitly).