Alan Barrett <> writes:

> If you have "restrict default nopeer noquery" (the uncommented line in
> my commit), then time service will still work, but the configured
> servers will be denied query permission.
> If you use "restrict default ignore", then time service does not work.

I have found the ntp restrict situation very confusing.  I think that
all we need to do is something like:

restrict default noquery nomodify notrap
restrict -6 default noquery nomodify notrap
restrict -6 ::1

and leave it at that.  The real issue is amplification via monlist.  I
don't understand the apparent leap from that to almost completely
firewalling ntp.

Why do you think the configured servers should be given query
permission?  Is that a sense of courtesy to the pool operators that they
should be able to run "ntpdc -c monlist" and "ntpq -p" at machines that
are syncing from them?

Attachment: pgpfSjBwi1PQ5.pgp
Description: PGP signature

Reply via email to