Date: Tue, 18 Feb 2014 15:08:35 -0800 From: "Ronald F. Guilmette" <rfg@tristatelogic.com> To: freebsd-questions@freebsd.org Subject: Re: Semi-urgent: Disable NTP replies? Message-ID: <2657.1392764915@server1.tristatelogic.com>
next in thread | raw e-mail | index | archive | help
OK, so I _partially_ answered my own question, just by doing what I should have done to begin with, i.e. perusing my current /etc/ntp.conf file. It contains the following, but this STILL doesn't really answer my question: ========================================================================== ... # The following three servers will give you a random set of three # NTP servers geographically close to you. # See http://www.pool.ntp.org/ for details. Note, the pool encourages # users with a static IP and good upstream NTP servers to add a server # to the pool. See http://www.pool.ntp.org/join.html if you are interested. # # The option `iburst' is used for faster initial synchronisation. # server 0.freebsd.pool.ntp.org iburst server 1.freebsd.pool.ntp.org iburst server 2.freebsd.pool.ntp.org iburst ... # Security: Only accept NTP traffic from the following hosts. # The following configuration example only accepts traffic from the # above defined servers. # # Please note that this example doesn't work for the servers in # the pool.ntp.org domain since they return multiple A records. # (This is the reason that by default they are commented out) # #restrict default ignore #restrict 0.pool.ntp.org nomodify nopeer noquery notrap #restrict 1.pool.ntp.org nomodify nopeer noquery notrap #restrict 2.pool.ntp.org nomodify nopeer noquery notrap #restrict 127.0.0.1 #restrict -6 ::1 #restrict 127.127.1.0 ... ========================================================================== OK, good. So I have a way of telling ntpd not to accept queries from anyplace other than a set of specific hosts... which can be specified either by name or by IP address. That's swell, HOWEVER... Am I the only guy in the universe who has noticed that the specific host names in that lower (security) part do not match the ones in the upper part? Is this going to be a problem? Should I uncomment that whole "security" section AND also change the specific host names mentioned in there so that the match the ones above... you know... the names of the actual servers that I am drawing time data from?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2657.1392764915>