Dear Harlan, I read document at URL http://ntp.isc.org/Support/AccessRestrictions and I'm confused in " 6.5.1.2.1. If you used =restrict default ignore= " section. If I used "restrict default ignore", document says to add "restrict 127.0.0.1" to allow unrestricted access from the localhost. OK; then it says to repeat the following two lines for each remote time server: IPv4: server x.y.z.w IPv4: restrict x.y.z.w [nomodify notrap nopeer noquery]
Note: "There is no harm in adding the restrictions shown in brackets but keep in mind that if you are accepting time from someone it may be considered courteous to allow them to see a bit of information about their client. I don't understand because there also is "nomodify" option inside brackets. If added "nomodify" option(as I told you in previous message) I think it would not be permitted to ntpd to use time information (sent from specified "x.y.z.w" server) to set local clock. If I want to receive time from external servers I presume that ntpd can be modified from those servers. Do you agree ? That's no specified. Thanks you so much sgroups: comp.protocols.time.ntp To: [EMAIL PROTECTED] Sent: Saturday, April 14, 2007 10:00 PM Subject: Re: [ntp:questions] Linux client ntp >>> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Riccardo Castellani) writes: Riccardo> 1. I thought with "restrict default ignore" settings it was more Riccardo> secure for client, which will reject all packets except for server Riccardo> A/B. At this time I suppose that "restrict default nomodify Riccardo> nopeer notrap noquery" setting can permitting to client to Riccardo> synchronize itself to server A/B but will not refuse those packets Riccardo> (malicious) which could be sent from other machines (different Riccardo> from A/B server). Do you agree ? What, exactly, do you mean by "reject"? Restrict lines won't help with traffic, and other 'malicious' packets don't seem to exist. If you are comfortable with this belief and find restrict lines are more trouble than they are worth, then don't use restrict lines and sleep well. If you are *not* comfortable with this belief and want to use restrict lines and can spend the effort to understand them and make sure they work for you the way you want, use them and sleep well. Riccardo> 2. "restrict default nomodify nopeer notrap noquery". According Riccardo> to ntpd manual, "nomodify" doesn't permit to modify daemon state Riccardo> but I don't understand how ntpd can adjust clock; that is what's Riccardo> option which permits ntpd to modify local clock time ? No, it means that *by default* ntpd will not modify its time based on what anybody tells it. You might have refclocks and you might have certain remote peers/servers where you *do* want to let their idea of time affect yours. Riccardo> I want my client asks time to A,B,C servers but only A,B answers Riccardo> have privileges to ntpd can set local clock. Server C answers Riccardo> must reach ntpd but not authorize to set local clock. If you want default nomodify, then have different restrict lines for A and B that do not include nomodify. Have you seen http://ntp.isc.org/Support/AccessRestrictions? Are there places in that docucument you think are unclear or confusing? H _______________________________________________ questions mailing list [EMAIL PROTECTED] https://lists.ntp.isc.org/mailman/listinfo/questions _______________________________________________ questions mailing list [EMAIL PROTECTED] https://lists.ntp.isc.org/mailman/listinfo/questions
