[ntp:questions] Re: change in restriction behavior in NTP4.20?

Wolfgang S. Rupprecht wolfgang+gnus20031109T121523 at dailyplanet.dontspam.wsrcc.com
Sun Nov 9 20:33:09 UTC 2003


Adam Myrow <amyrow at midsouth.rr.com> writes:
> restrict default noquery notrust nomodify
>
> Apparently, the meaning of notrust is to not let any server connect 
> unless it uses encryption, but I get the idea that this was not what it 
> meant in 4.1.2.  So, has the meanings of the restrict options changed?  
> What would accomplish the goal of making NTP act as a client only, and 
> not serving time or anything else?  I currently have the whole line 
> commented out for now.

If you use the "notrust" in the default, you need to clear it on a
per-host basis for the hosts you use as time servers.

This is what I used to use here.  I eventually got sick of updating
the timeserver IP's and simply removed the default notrust.  If
restrict took hostnames* it would be a lot easier to use a default of
notrust.

    # default: allow anyone to tell us the time and serve time
    # to folks in  a limited fashion:
    restrict default nomodify notrap limited # notrust

    # allow us to set our own time
    restrict 127.127.0.0      mask 255.255.0.0		# internal clocks
    restrict 127.0.0.1        mask 255.255.255.255 	# localhost

    # allow wsrcc ethernet hosts to check time and peer with us.
    restrict 192.83.197.0     mask 255.255.255.0

    # allow these hosts to tell us the time
    restrict 10.1.2.3         mask 255.255.255.255 nomodify notrap
    ...

(* and yes, I realize hostnames can map onto several IP addresses.
Adding all of them in cases like that doesn't seem like a bad idea.)

-wolfgang
-- 
Wolfgang S. Rupprecht 		     http://www.wsrcc.com/wolfgang/
           The From: address is valid.  Don't mess with it.




More information about the questions mailing list