Alan Barrett <a...@netbsd.org> writes: > If you have "restrict default nopeer noquery" (the uncommented line in > my commit), then time service will still work, but the configured > servers will be denied query permission. > > If you use "restrict default ignore", then time service does not work.
I have found the ntp restrict situation very confusing. I think that all we need to do is something like: restrict default noquery nomodify notrap restrict -6 default noquery nomodify notrap restrict 127.0.0.1 restrict -6 ::1 and leave it at that. The real issue is amplification via monlist. I don't understand the apparent leap from that to almost completely firewalling ntp. Why do you think the configured servers should be given query permission? Is that a sense of courtesy to the pool operators that they should be able to run "ntpdc -c monlist" and "ntpq -p" at machines that are syncing from them?
Description: PGP signature