[ntp:questions] Re: autokey restriction

Steve Kostecke kostecke at ntp.isc.org
Fri Nov 11 20:00:50 UTC 2005


On 2005-11-10, Kevin Golder <kgolder at spectracomcorp.com> wrote:

> I'm trying to prohibit my server from responding to
> any client that is not using autokey and part of my trusted group. I
> have the following two "restrict" lines in my ntp.conf file of the
> server to try and do so.

> restrict default ignore
> restrict 10.10.0.0 mask 255.255.0.0 autokey

The following tells ntpd to ignore all NTP packets and then allows NTP
packets from 10.10.0.0/16 only if they are cryptographicly
authenticated.

| restrict default ignore
| restrict 10.10.0.0 mask 255.255.0.0 notrust

Or, you could just:

| restrict default notrust

If you want to be able to use remote time servers you could:

| restrict default ignore
| restrict 10.10.0.0 mask 255.255.0.0 notrust
| restrict ip.of.server.one <appropriate restrictions here>
| restrict ip.of.server.two <appropriate restrictions here>
| ...

Or:

| restrict default notrust
| restrict ip.of.server.one <appropriate restrictions here>
| restrict ip.of.server.two <appropriate restrictions here>
| ...

The appropriate restrictions for remote time servers depends upon your
requirements. Something like "nomodify nopeer noquery notrap" may be
suitable.

There is some information about setting ntpd restrictions at
http://ntp.isc.org/Support/AccessRestrictions

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list