On Wed, Feb 15, 2012 at 08:30, Ron Frazier (NTP) <[email protected]> wrote: > Hi all, > > In my research operating ntpd on Windows and Linux, I discovered that the > default ntp.conf installed by Meinberg does not have any access > restrictions. I think it would be a good idea to add this to your file > unless you require more liberal access for your LAN, etc. This is the > default setup for my Ubuntu Linux machines. > > # By default, exchange time with everybody, but don't allow configuration. > restrict -4 default kod notrap nomodify nopeer noquery > restrict -6 default kod notrap nomodify nopeer noquery
With version 4.2.5p178 and later, there's no need to repeat yourself, a single restrict default (no -4 or -6) affects both IPv4 and IPv6. Also note that the kod restriction does nothing without the limited restriction, which I highly recommend using to keep your ntpd from being useful as a reflector of traffic originated with forged source addresses belonging to the real targets. Rate limiting processing occurs only with the limited restriction, and when the rate is exceeded, there is either no response, or with kod restriction present as well, a Kiss o' Death (useless for timekeeping, with refid RATE) is sent unless one was sent to that remote address in the last 8 seconds. This rate limiting of KoDs to once per 8 seconds again addresses the reflector issue. > # allow unrestricted access from the localhost (so that you may monitor ntpd > # and perform on-the-fly configuration changes with ntpdc) > # Local users may interrogate the ntp server more closely. > # IPv4 > restrict 127.0.0.1 > # IPv6 > restrict -6 ::1 I believe with 4.2.5p178 and later a single "restrict localhost" will do the same, subject to your system resolving localhost to both IPv4 and IPv6 addresses. With "noquery" in the default restrictions, you can verify the restrict localhost applied to both using "ntpq -p 127.0.0.1" and "ntpq -p ::1". If one of the two does not work, you know you're getting the default restriction on that localhost address. Alternatively, if you've configured ntpd for authenticated ntpq/ntpdc queries using "keys", "trustedkey", "requestkey" and "controlkey", you can verify the active restrictions using ntpq's reslist, or if your version of ntpq is too old to support the reslist command, ntpdc's. Cheers, Dave Hart _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
