[ntp:questions] Re: change in restriction behavior in NTP4.20?
Wolfgang S. Rupprecht
wolfgang+gnus20031109T121523 at dailyplanet.dontspam.wsrcc.com
Sun Nov 9 20:33:09 UTC 2003
Adam Myrow <amyrow at midsouth.rr.com> writes:
> restrict default noquery notrust nomodify
> Apparently, the meaning of notrust is to not let any server connect
> unless it uses encryption, but I get the idea that this was not what it
> meant in 4.1.2. So, has the meanings of the restrict options changed?
> What would accomplish the goal of making NTP act as a client only, and
> not serving time or anything else? I currently have the whole line
> commented out for now.
If you use the "notrust" in the default, you need to clear it on a
per-host basis for the hosts you use as time servers.
This is what I used to use here. I eventually got sick of updating
the timeserver IP's and simply removed the default notrust. If
restrict took hostnames* it would be a lot easier to use a default of
# default: allow anyone to tell us the time and serve time
# to folks in a limited fashion:
restrict default nomodify notrap limited # notrust
# allow us to set our own time
restrict 127.127.0.0 mask 255.255.0.0 # internal clocks
restrict 127.0.0.1 mask 255.255.255.255 # localhost
# allow wsrcc ethernet hosts to check time and peer with us.
restrict 184.108.40.206 mask 255.255.255.0
# allow these hosts to tell us the time
restrict 10.1.2.3 mask 255.255.255.255 nomodify notrap
(* and yes, I realize hostnames can map onto several IP addresses.
Adding all of them in cases like that doesn't seem like a bad idea.)
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
The From: address is valid. Don't mess with it.
More information about the questions