mlichvar
commented
6 years ago That's great. Thanks!
Open publicarray opened 6 years ago
mlichvar
commented
6 years ago That's great. Thanks!
Artoria2e5
commented
1 week ago To expand on your theme of using iptables: there's no rate limit on rsntp, but we can still survive misconfigured clients if we get iptables to do the limiting. For example, we can do...
-A INPUT -m udp -p udp --dport 123 -m statistic --mode random --probability 0.25 -j ACCEPT
-A INPUT -m udp -p udp --dport 123 -m hashlimit --hashlimit-above 8/minute --hashlimit-burst 8 --hashlimit-mode srcip --hashlimit-srcmask 28 --hashlimit-name ntp --hashlimit-htable-max 131072 --hashlimit-htable-expire 64000 -j DROPto mimick chrony's defaults for ratelimit (inverval 3 burst 8 leak 2). It's not exact (8/min is not the same as 0.125/s), but that's the closest I could get.
I usually add a harsher
-A INPUT -m udp -p udp --dport 123 -m hashlimit --hashlimit-above 64/second --hashlimit-burst 64 --hashlimit-mode srcip --hashlimit-srcmask 28 --hashlimit-name ntp1 --hashlimit-htable-max 131072 --hashlimit-htable-expire 4000 -j DROPto the beginning, because I am selfish and value my bandwidth dollar over availablity.
G'day
I just wanted to mention that I have create a simple docker file for rsntp: https://github.com/publicarray/docker-rsntp
Feel free to use it https://hub.docker.com/r/publicarray/rsntp
Keep up the good time!