<<You can't use "restrict default ignore" and pool servers (or any other hostnames that resolve to multiple IP addresses >>
What do you suggest me, to use server hostnames which resolve unique IP address ? How many servers should you insert into ntp.conf ? min. 4 ? Steve Kostecke ha scritto: > On 2007-03-13, RICCARDO <[EMAIL PROTECTED]> wrote: > > > I'm going to create my internal time server, what do you think it I > > set ntp.conf so: > > > restrict default ignore > > You can't use "restrict default ignore" and pool servers (or any other > hostnames that resolve to multiple IP addresses > > > restrict 127.0.0.1 > > restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery > > notrap > > #for stratum 1 time server > > > > restrict 196.200.3.0 mask 255.255.255.0 nomodify noquery notrap > > #for clients > > > > server 1.it.pool.ntp.org > > #time server of stratum 1 > > The 1 on that server line does not mean that you will get a stratum-1 > time server. > > If you wish to use the it.pool.ntp.org zone you should follow the > instructions at http://www.pool.ntp.org/zone/it > > > driftfile /var/lib/ntp/drift > > Here's what your ntp.conf ought to look like (if you are using the > it.pool zone): > > # General settings > driftfile /var/lib/ntp/drift > > # Default restriction - time service only > restrict default nomodify nopeer notrap noquery > restrict 127.0.0.1 > > # Authorized Clients - are allowed time service and status queries > restrict 196.200.3.0 mask 255.255.255.0 nomodify nopeer notrap > > # Remote time servers from the it.pool.ntp.org zone > server 2.it.pool.ntp.org iburst > server 0.europe.pool.ntp.org iburst > server 2.europe.pool.ntp.org iburst > > > I noted that if I set bad time my server , ntpd service synchronizes > > it correctly but how it's possibile if it's set "restrict > > 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery notrap" ? > > should "Nomodify" option avoid to change status of my internal server > > (time should not be set) ? > > nomodify has nothing to do with time service. > > nomodify ==> "Deny ntpq and ntpdc queries which attempt to modify the > state of the server (i.e., run time reconfiguration). Queries which > return information are permitted." > > Remote modifications of ntpd require either (a) the use of symmetric > keys or (b) that you completely disable authentication. So your ntpd > can't be modified remotely unless you configure satisfy (a) or (b). > > nomodify blocks remote modifications even if someone has the symmetric > key(s) or, I believe, if authentication is disabled. > > -- > Steve Kostecke <[EMAIL PROTECTED]> > NTP Public Services Project - http://ntp.isc.org/ _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
