>>> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Riccardo Castellani) >>> writes:
Riccardo> 1. I thought with "restrict default ignore" settings it was more Riccardo> secure for client, which will reject all packets except for server Riccardo> A/B. At this time I suppose that "restrict default nomodify Riccardo> nopeer notrap noquery" setting can permitting to client to Riccardo> synchronize itself to server A/B but will not refuse those packets Riccardo> (malicious) which could be sent from other machines (different Riccardo> from A/B server). Do you agree ? What, exactly, do you mean by "reject"? Restrict lines won't help with traffic, and other 'malicious' packets don't seem to exist. If you are comfortable with this belief and find restrict lines are more trouble than they are worth, then don't use restrict lines and sleep well. If you are *not* comfortable with this belief and want to use restrict lines and can spend the effort to understand them and make sure they work for you the way you want, use them and sleep well. Riccardo> 2. "restrict default nomodify nopeer notrap noquery". According Riccardo> to ntpd manual, "nomodify" doesn't permit to modify daemon state Riccardo> but I don't understand how ntpd can adjust clock; that is what's Riccardo> option which permits ntpd to modify local clock time ? No, it means that *by default* ntpd will not modify its time based on what anybody tells it. You might have refclocks and you might have certain remote peers/servers where you *do* want to let their idea of time affect yours. Riccardo> I want my client asks time to A,B,C servers but only A,B answers Riccardo> have privileges to ntpd can set local clock. Server C answers Riccardo> must reach ntpd but not authorize to set local clock. If you want default nomodify, then have different restrict lines for A and B that do not include nomodify. Have you seen http://ntp.isc.org/Support/AccessRestrictions? Are there places in that docucument you think are unclear or confusing? H _______________________________________________ questions mailing list [EMAIL PROTECTED] https://lists.ntp.isc.org/mailman/listinfo/questions
