[ntp:questions] "Trapping" in ntpd

Rob pse at nospam.com
Wed Oct 3 16:21:01 UTC 2007


Steve wrote:

> "A properly chosen default restriction will, in many circumstances, 
> eliminate the need to clutter your ntp.conf file with redundant restrict
> lines."

Agreed. The ability to do queries is important if you are not sure whether
you can trust the ntpd server.  (i.e. unauthenticated time servers on the
internet).

But some of the ntp.conf files that I have seen use "restrict default
nomodify nopeer notrap"

In my view, this is a sensible default restrict line.  It lets others do
queries on your ntpd server but not set traps (which is probably only
useful for debugging purposes and may increase load on your ntpd server
significantly).  It also prevents others from doing run time modifications
to your server. Another senible restriction.

But if you wanted to really lock down your company's ntpd server on a
corporate lan, one could use "restrict default nomodify nopeer noquery". 
I suspect the noquery would also block traps.  I am not sure.  

Under this situation, one could use ntp authentication on the LAN to help
ensure trustworthiness of the time source.

Rob




More information about the questions mailing list