You will also need to add you localhost as a source if you want to show that
ntp association status on the router
apply-flags omit;
term allow-ntp {
from {
source-prefix-list {
ntp-server;
localhost;
}
protocol udp;
port ntp;
}
then {
policer gen-use-1m;
accept;
}
}
show policy-options prefix-list localhost
apply-flags omit;
apply-path "interfaces lo0 unit 0 family inet address <*>”;
> On May 8, 2019, at 7:22 AM, Vincent Bernat <ber...@luffy.cx> wrote:
>
> ❦ 8 mai 2019 09:56 +02, Lars Prehn <lpr...@mpi-inf.mpg.de>:
>
>> do you NTP sync your AS boundary routers? If so, what are incentives
>> for doing so? Are there incentives, e.g. security considerations, not
>> to do it?
>
> Ensure you have a firewall rule in place to prevent people to use your
> router for NTP amplification. NTP clients are also servers. On Juniper
> devices:
>
> policy-options {
> prefix-list ntp-servers {
> apply-path "system ntp server <*>";
> }
> }
> firewall {
> /* ... */
> term accept-ntp {
> from {
> source-prefix-list {
> ntp-servers;
> }
> protocol udp;
> port ntp;
> }
> then {
> policer management-1m;
> accept;
> }
> }
> }
>
> (see
> <https://forums.juniper.net/jnet/attachments/jnet/DayOneArchive/77/5/Securing_RouteEngine_v2.pdf>
> for more details).
> --
> Keep it simple to make it faster.
> - The Elements of Programming Style (Kernighan & Plauger)
