[ntp:questions] noserve restrict option
Robert.Rati at motorola.com
Tue Oct 5 18:01:21 UTC 2004
I'm attempting to secure an NTP client setup and have recently upgraded
from 4.1 to 4.2 but one of the options I used in 4.1 appears to work
differently in 4.2. Basically, I restrict clients with the default:
restrict default ignore
For each time server I have:
restrict <ip-addr> noquery noserve
server <ip-addr> maxpoll 12 version 3
This worked in 4.1, but with 4.2 this prevents time synchonization. I
did some searching on the web, and tracked the problem to the noserver
option. The documentation I have read about this option has been a bit
confusing. Most of the documentation either says the noserve option means:
"Deny all packets except ntpq and ntpdc queries"
" Specifies to ignore NTP packets whose mode is not 6 or 7. This denies
time service, but permits queries."
but I have found one that says:
"adding noserve to the default restrict causes a box to ignore all NTP
time packets destined to it, including NTP responses from servers that
have been defined in ntp.conf"
So my question is, what is the noserve option supposed to do? In 4.2,
it appears to ignore all time packets even from servers, but it didn't
do this in 4.1. The "denies time service" could be interpreted to mean
the NTP daemon refuses to serve up time (but will still receive time
from servers), or that no time synchronization packets are allowed at
all (ie client can't even sync against a server). Was a issue fixed in
4.2 that changed this functionality from 4.1?
More information about the questions