[ntp:questions] Linux client ntp

Riccardo Castellani castellani.riccardo at tiscali.it
Sun Apr 15 18:59:13 UTC 2007

Dear Harlan,
I read document at URL http://ntp.isc.org/Support/AccessRestrictions and I'm
confused in " If you used =restrict default ignore= " section.
If I used "restrict default ignore", document says to add "restrict" to allow unrestricted access from the localhost. OK;
then it says to repeat the following two lines for each remote time server:
IPv4: server x.y.z.w
IPv4: restrict x.y.z.w [nomodify notrap nopeer noquery]

Note: "There is no harm in adding the restrictions shown in brackets but
keep in mind that if you are accepting time from someone it may be
considered courteous to allow them to see a bit of information about their

I don't understand because there also is "nomodify" option inside brackets.
If added "nomodify" option(as I told you in previous message) I think it
would not be permitted to ntpd to use time information (sent from specified
"x.y.z.w" server) to set local clock. If I want to receive time from
external servers I presume that ntpd can be modified from those servers.
Do you agree ?
That's no specified.

Thanks you so much

sgroups: comp.protocols.time.ntp
To: questions at lists.ntp.isc.org
Sent: Saturday, April 14, 2007 10:00 PM
Subject: Re: [ntp:questions] Linux client ntp

>>> In article <005601c77ea4$63035e90$a4780b3e at venus>,
castellani.riccardo at tiscali.it (Riccardo Castellani) writes:

Riccardo> 1.  I thought with "restrict default ignore" settings it was more
Riccardo> secure for client, which will reject all packets except for server
Riccardo> A/B.  At this time I suppose that "restrict default nomodify
Riccardo> nopeer notrap noquery" setting can permitting to client to
Riccardo> synchronize itself to server A/B but will not refuse those packets
Riccardo> (malicious) which could be sent from other machines (different
Riccardo> from A/B server).  Do you agree ?

What, exactly, do you mean by "reject"?

Restrict lines won't help with traffic, and other 'malicious' packets don't
seem to exist.

If you are comfortable with this belief and find restrict lines are more
trouble than they are worth, then don't use restrict lines and sleep well.

If you are *not* comfortable with this belief and want to use restrict lines
and can spend the effort to understand them and make sure they work for you
the way you want, use them and sleep well.

Riccardo> 2.  "restrict default nomodify nopeer notrap noquery".  According
Riccardo> to ntpd manual, "nomodify" doesn't permit to modify daemon state
Riccardo> but I don't understand how ntpd can adjust clock; that is what's
Riccardo> option which permits ntpd to modify local clock time ?

No, it means that *by default* ntpd will not modify its time based on what
anybody tells it.  You might have refclocks and you might have certain
remote peers/servers where you *do* want to let their idea of time affect

Riccardo> I want my client asks time to A,B,C servers but only A,B answers
Riccardo> have privileges to ntpd can set local clock.  Server C answers
Riccardo> must reach ntpd but not authorize to set local clock.

If you want default nomodify, then have different restrict lines for A and B
that do not include nomodify.

Have you seen http://ntp.isc.org/Support/AccessRestrictions?  Are there
places in that docucument you think are unclear or confusing?


questions mailing list
questions at lists.ntp.isc.org

More information about the questions mailing list