[ntp:questions] I don't understand "Restrict" statements!

William Unruh unruh at invalid.ca
Mon Jan 19 16:48:08 UTC 2015

On 2015-01-19, David Taylor <david-taylor at blueyonder.co.uk.invalid> wrote:
> It's me, not you, but with the following statements in ntp.conf:
> restrict source notrap nomodify nopeer query
> restrict
> restrict ::1
> restrict mask peer
> I get errors flagged at the points marked with "X" below:

And where did you get either query or peer as possible options? 
If you do NOT mention something it is allowed. 

If you want to allow queries from anywhere, simply do not mention
(Yes, it is an ass backwards apparent double negative)
So without noquery ( and certainly without the non-esictant option
query) the first ine would allow queries from anywhere. The second would
allow anything from localhost, the third the same in ipv6 talk, and the
fourth would allow anything from that address range. 

> restrict source notrap nomodify nopeer Xquery
> restrict mask Xpeer
> My intention was:
> - not allow external access, except for using external nodes as servers, 
> just as if I only had Internet sources.

These do not restrict your access to external stuff, it restricts
external access to your system.

You want noquery in there. Yes, you are being fooled by the stupid
apparent double negative. Restrict ... noquery, does not mean "do not
allow noqueries-- ie allow queries" It means "place restrictions on that
addreess, and the restriction is to allow no queries. 
The second line means 
place restrictions on locahost, and those restrictions are none (ie no
At least that is how I understand it, and it could well be wrong. 

> - to allow full access to any PC on 192.168.0. so that the PC could use 
> the server as a client, and issue ntpq commands against it, in 
> particular:  ntpq -crv  and  ntpq -pn

So get rid of the "peer" 

> I've tried reading the documentation, but it has failed to enlighten me 
> sufficiently!
You just have to stand on your head and wave your feet around
vigourously, and all will be clear!


More information about the questions mailing list