[ntp:questions] Re: autokey restriction
Steve Kostecke
kostecke at ntp.isc.org
Fri Nov 11 20:00:50 UTC 2005
On 2005-11-10, Kevin Golder <kgolder at spectracomcorp.com> wrote:
> I'm trying to prohibit my server from responding to
> any client that is not using autokey and part of my trusted group. I
> have the following two "restrict" lines in my ntp.conf file of the
> server to try and do so.
> restrict default ignore
> restrict 10.10.0.0 mask 255.255.0.0 autokey
The following tells ntpd to ignore all NTP packets and then allows NTP
packets from 10.10.0.0/16 only if they are cryptographicly
authenticated.
| restrict default ignore
| restrict 10.10.0.0 mask 255.255.0.0 notrust
Or, you could just:
| restrict default notrust
If you want to be able to use remote time servers you could:
| restrict default ignore
| restrict 10.10.0.0 mask 255.255.0.0 notrust
| restrict ip.of.server.one <appropriate restrictions here>
| restrict ip.of.server.two <appropriate restrictions here>
| ...
Or:
| restrict default notrust
| restrict ip.of.server.one <appropriate restrictions here>
| restrict ip.of.server.two <appropriate restrictions here>
| ...
The appropriate restrictions for remote time servers depends upon your
requirements. Something like "nomodify nopeer noquery notrap" may be
suitable.
There is some information about setting ntpd restrictions at
http://ntp.isc.org/Support/AccessRestrictions
--
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/
More information about the questions
mailing list