Steve wrote: > "A properly chosen default restriction will, in many circumstances, > eliminate the need to clutter your ntp.conf file with redundant restrict > lines."
Agreed. The ability to do queries is important if you are not sure whether you can trust the ntpd server. (i.e. unauthenticated time servers on the internet). But some of the ntp.conf files that I have seen use "restrict default nomodify nopeer notrap" In my view, this is a sensible default restrict line. It lets others do queries on your ntpd server but not set traps (which is probably only useful for debugging purposes and may increase load on your ntpd server significantly). It also prevents others from doing run time modifications to your server. Another senible restriction. But if you wanted to really lock down your company's ntpd server on a corporate lan, one could use "restrict default nomodify nopeer noquery". I suspect the noquery would also block traps. I am not sure. Under this situation, one could use ntp authentication on the LAN to help ensure trustworthiness of the time source. Rob _______________________________________________ questions mailing list [email protected] https://lists.ntp.org/mailman/listinfo/questions
