[ntp:questions] xntpd (NTPv3) "restrict" questions.
Brad Knowles
brad at stop.mail-abuse.org
Sun Jan 2 17:14:14 UTC 2005
At 8:24 AM +0000 2005-01-02, Pete Stephenson wrote:
> I googled for an example configuration and located the following from
> http://www.xs4all.nl/~xpeterxq/suse_conf_files/ntp.conf.html:
>
> restrict default notrust lowpriotrap nopeer nomodify
> restrict 209.204.159.18 mask 255.255.255.0 nopeer nomodify
> restrict 204.152.184.72 mask 255.255.255.0 nopeer nomodify
> restrict 216.218.192.202 mask 255.255.255.0 nopeer nomodify
> restrict 216.218.254.202 mask 255.255.255.0 nopeer nomodify
Note that "notrust" means that the clients have to authenticate
the server cryptographically. If you haven't set up cryptographic
authentication keys, then this isn't going to work.
> restrict default notrust lowpriotrap nopeer nomodify
> restrict time.sonic.net mask 255.255.255.0 nopeer nomodify
> restrict clock.isc.org mask 255.255.255.0 nopeer nomodify
> restrict clock.fmt.he.net mask 255.255.255.0 nopeer nomodify
> restrict clock.sjc.he.net mask 255.255.255.0 nopeer nomodify
The "restrict" keyword only works with IP addresses, not
hostnames. This is a known weakness in the configuration file
parsing, where everything else prefers hostnames (because the IP
address could always change) but this requires IP addresses.
Generally speaking, you probably don't want to try to do things
which require "restrict" unless you're using exclusively your own
time servers on your own network, and you can guarantee that no names
ever change and no IP addresses ever change.
Your server will automatically be protected from people trying to
modify the time on it unless you "peer" with them. They may try to
update your concept of time, but your server will ignore those
packets unless it is explicitly told to look for them.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the questions
mailing list