On 2007-04-15, Harlan Stenn <[EMAIL PROTECTED]> wrote: >Ricardo Castellani said: > >> IPv4: restrict x.y.z.w [nomodify notrap nopeer noquery]
<snip> >> I don't understand because there also is "nomodify" option inside brackets. >> If added "nomodify" option(as I told you in previous message) I think it >> would not be permitted to ntpd to use time information (sent from specified >> "x.y.z.w" server) to set local clock. If I want to receive time from >> external servers I presume that ntpd can be modified from those servers. >> Do you agree ? No, 'nomodify' has nothing to do with time service. According to the distribution documentation at http://www.eecis.udel.edu/~mills/ntp/html/accopt.html: nomodify -- "Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted." According to the 'Access Control Options' section of Support.AccessRestrictions (ironically not far below the section you cited): nomodify -- "Do not allow this host/subnet to modify the ntpd settings even if they have the correct keys." By default ntpd requires authentication with symmetric keys for modifications made with ntpdc. So if you don't configure symmetric keys for your ntpd, or keep them properly safeguarded, you don't need to use 'nomodify' unless you are concerned that the NTP authentication scheme might be compromised." > Yes. Sometimes people want to use a server for *tracking* purposes only > but they do not want to accept time from that server. The correct configuration keyword for this purpose is 'noselect'. > The 'nomodify' parameter is one of the optional bits. The restrictions that are included in the brackets (as quoted above) are the maximum restrictions that may be used without impeding time service. > I'm wondering if it would be better to put some/each of those keywords > in separate [] blocks. No. -- Steve Kostecke <[EMAIL PROTECTED]> NTP Public Services Project - http://ntp.isc.org/ _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
