By default chrony config in /run/chrony/chrony.conf has deny all by default even after adding in an allowed client the deny all still exists

Allowed clients configuration

allow 192.168.1.0/24
deny all

This deny all blocks all clients regardless

vyos:[~] # chronyc
chrony version 4.0
Copyright (C) 1997-2003, 2007, 2009-2020 Richard P. Curnow and others ult-D]IN=pppoe0 OUT= MAC= SRC=0.0.0.0 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0│chrony comes with ABSOLUTELY NO WARRANTY. This is free software, and TTL=1 ID=54788 DF PROTO=2 │you are welcome to redistribute it under certain conditions. See the 2023-02-06T14:39:42+00:00 vyos kernel: [52815.758250] [internet-firewall-defa│GNU General Public License version 2 for details.

chronyc> accheck 192.168.1.1
209 Access denied
chronyc>

if i remove the deny all and restart chrony the service then works

chronyc> accheck 192.168.1.1
208 Access allowed
chronyc>

any further commits adds deny all back into the conf file which breaks the server.

Does it deny by default without deny all?

Slightly unsure about the question, the deny all was there as a default even after adding in an allowed ip range it existed, the deny all can only be manually removed and any further change injects the deny all again.

Just to add if the allowed IP is not specified in the allow then it does deny by default I have just tested.

in the config file it has no allow clients listed:
/run/chrony/chrony.conf

# Allowed clients configuration

then testing

vyos:[~] # chronyc
chrony version 4.0
Copyright (C) 1997-2003, 2007, 2009-2020 Richard P. Curnow and others
chrony comes with ABSOLUTELY NO WARRANTY.  This is free software, and
you are welcome to redistribute it under certain conditions.  See the
GNU General Public License version 2 for details.

chronyc> accheck 192.168.1.1
209 Access denied

so the Deny All is unneccesary

Should be fixed in T4980

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.