From owner-freebsd-questions Tue Jul 3 17:42:49 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ns2.austclear.com.au (ns2.austclear.com.au [192.43.185.70]) by hub.freebsd.org (Postfix) with ESMTP id DD84137B401 for ; Tue, 3 Jul 2001 17:42:41 -0700 (PDT) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by ns2.austclear.com.au (8.11.2/8.11.3) with ESMTP id f640gZp04325; Wed, 4 Jul 2001 10:42:35 +1000 (EST) (envelope-from ahl@austclear.com.au) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id KAA21733; Wed, 4 Jul 2001 10:42:35 +1000 (EST) Message-Id: <200107040042.KAA21733@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: Sheldon Hearn Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Tightening up ntpd In-Reply-To: Message from Sheldon Hearn of "Tue, 03 Jul 2001 11:16:56 +0200." <24350.994151816@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 04 Jul 2001 10:42:34 +1000 From: Tony Landells Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG sheldonh@starjuice.net said: > What do I do in /etc/ntp.conf to prevent hosts other than those I list > with "server" from changing my time? I know how to do this with a > firewall, but get the feeling from the ntp.conf(5) manual page that it > could be done in there. > To be honest, the ntp.conf(5) page overwhelms me a little. :-) There is some additional documentation at www.ntp.org. It's slightly better than the ntp.conf man page. Slightly... The section you want to look at in the ntp.conf man page is the one headed "Access Control Support". What you want to add to your ntp.conf is something like: # Change the default behaviour to ignore everything restrict 0.0.0.0 mask 0.0.0.0 ignore # If we want to use "ntpq", for example, we need some local access restrict 127.0.0.1 noserve notrap notrust # These are our two nameservers (provided by our ISP) # We query them, so they don't need much access to us... restrict 192.189.54.17 nomodify noquery notrap ntpport restrict 192.189.54.33 nomodify noquery notrap ntpport To find out exactly what the options are, you'll need to read the man page, but if you want to ask specific questions about what I understand them to do, send me e-mail. Of course, I'm not a definitive source of wisdom--for that you should go through the references at www.ntp.org Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message