[ntp:questions] noserve restrict option

Robert Rati Robert.Rati at motorola.com
Tue Oct 5 18:01:21 UTC 2004


I'm attempting to secure an NTP client setup and have recently upgraded 
from 4.1 to 4.2 but one of the options I used in 4.1 appears to work 
differently in 4.2.  Basically, I restrict clients with the default:

restrict default ignore

For each time server I have:

restrict <ip-addr> noquery noserve
server <ip-addr> maxpoll 12 version 3

This worked in 4.1, but with 4.2 this prevents time synchonization.  I 
did some searching on the web, and tracked the problem to the noserver 
option.  The documentation I have read about this option has been a bit 
confusing.  Most of the documentation either says the noserve option means:

"Deny all packets except ntpq and ntpdc queries"
or
" Specifies to ignore NTP packets whose mode is not 6 or 7. This denies 
time service, but permits queries."

but I have found one that says:
"adding noserve to the default restrict causes a box to ignore all NTP 
time packets destined to it, including NTP responses from servers that 
have been defined in ntp.conf"

So my question is, what is the noserve option supposed to do?  In 4.2, 
it appears to ignore all time packets even from servers, but it didn't 
do this in 4.1.  The "denies time service" could be interpreted to mean 
the NTP daemon refuses to serve up time (but will still receive time 
from servers), or that no time synchronization packets are allowed at 
all (ie client can't even sync against a server).  Was a issue fixed in 
4.2 that changed this functionality from 4.1?

Rob



More information about the questions mailing list