[ntp:questions] Linux client ntp

Harlan Stenn stenn at ntp.isc.org
Sat Apr 14 20:00:17 UTC 2007

>>> In article <005601c77ea4$63035e90$a4780b3e at venus>, castellani.riccardo at tiscali.it (Riccardo Castellani) writes:

Riccardo> 1.  I thought with "restrict default ignore" settings it was more
Riccardo> secure for client, which will reject all packets except for server
Riccardo> A/B.  At this time I suppose that "restrict default nomodify
Riccardo> nopeer notrap noquery" setting can permitting to client to
Riccardo> synchronize itself to server A/B but will not refuse those packets
Riccardo> (malicious) which could be sent from other machines (different
Riccardo> from A/B server).  Do you agree ?

What, exactly, do you mean by "reject"?

Restrict lines won't help with traffic, and other 'malicious' packets don't
seem to exist.

If you are comfortable with this belief and find restrict lines are more
trouble than they are worth, then don't use restrict lines and sleep well.

If you are *not* comfortable with this belief and want to use restrict lines
and can spend the effort to understand them and make sure they work for you
the way you want, use them and sleep well.

Riccardo> 2.  "restrict default nomodify nopeer notrap noquery".  According
Riccardo> to ntpd manual, "nomodify" doesn't permit to modify daemon state
Riccardo> but I don't understand how ntpd can adjust clock; that is what's
Riccardo> option which permits ntpd to modify local clock time ?

No, it means that *by default* ntpd will not modify its time based on what
anybody tells it.  You might have refclocks and you might have certain
remote peers/servers where you *do* want to let their idea of time affect

Riccardo> I want my client asks time to A,B,C servers but only A,B answers
Riccardo> have privileges to ntpd can set local clock.  Server C answers
Riccardo> must reach ntpd but not authorize to set local clock.

If you want default nomodify, then have different restrict lines for A and B
that do not include nomodify.

Have you seen http://ntp.isc.org/Support/AccessRestrictions?  Are there
places in that docucument you think are unclear or confusing?


More information about the questions mailing list