OpenNTPProject.org

Yucong Sun sunyucong at gmail.com
Mon Feb 17 05:26:10 UTC 2014


Just for the reference, here is a more complete solution for Junos (took me
a while searching the web to figure it out), hope it helps someone.

policy-options {
    prefix-list lo0.0-inet-address {
        apply-path "interfaces lo0 unit 0 family inet address <*>";
    }
    prefix-list ntp-servers {
        apply-path "system ntp server <*>";
    }
}

firewall {
    family inet {
        filter lo-filter {
            term ntp-allow {
                from {
                    source-prefix-list {
                        ntp-servers;
                        lo0.0-inet-address;
                    }
                    protocol udp;
                    destination-port ntp;
                }
                then accept;
            }
            term ntp-other-discard {
                from {
                    protocol udp;
                    destination-port ntp;
                }
                then {
                    discard;
                }
            }
            term zz-accept {
                then accept;
            }
        }
   }
}



On Sun, Feb 16, 2014 at 8:42 PM, Mark Tinka <mark.tinka at seacom.mu> wrote:

> On Monday, February 17, 2014 06:35:46 AM Lyndon Nerenberg
> wrote:
>
> > I was suggesting it as an alternative to just chopping
> > off NTP at your border.  Presumably it would be a
> > one-off thing until Juniper issues a patch.
>
> In Junos, applying the right filters to your router's
> control plane will fix the issue. You don't need to block
> NTP in the data plane.
>
> Mark.
>


More information about the NANOG mailing list