Date: Tue, 18 Feb 2014 15:18:24 -0800 From: Darren Pilgrim <list_freebsd@bluerosetech.com> To: "Ronald F. Guilmette" <rfg@tristatelogic.com>, freebsd-questions@freebsd.org Subject: Re: Semi-urgent: Disable NTP replies? Message-ID: <5303EA40.4050606@bluerosetech.com> In-Reply-To: <2657.1392764915@server1.tristatelogic.com> References: <2657.1392764915@server1.tristatelogic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/18/2014 3:08 PM, Ronald F. Guilmette wrote: > > OK, so I _partially_ answered my own question, just by doing what I should > have done to begin with, i.e. perusing my current /etc/ntp.conf file. > [...] > server 0.freebsd.pool.ntp.org iburst > server 1.freebsd.pool.ntp.org iburst > server 2.freebsd.pool.ntp.org iburst [...] > #restrict 0.pool.ntp.org nomodify nopeer noquery notrap > #restrict 1.pool.ntp.org nomodify nopeer noquery notrap > #restrict 2.pool.ntp.org nomodify nopeer noquery notrap [...] > > Am I the only guy in the universe who has noticed that the specific host > names in that lower (security) part do not match the ones in the upper > part? No. > Is this going to be a problem? Yes, because there's no guarantee 0.freebsd.pool and 0.pool will have the same set of addresses. In fact, it's pretty much guaranteed they will never have the same set since the vast majority of pool servers are not running FreeBSD. You can use DNS names in restrict lines, but the default configuration is only necessary because it includes the "ignore" keyword in the default restrictions. If you instead use "kod nomodify nopeer noquery notrap" or "nomodify nopeer noquery notrap" and a firewall rule preventing unsolicited udp/123, you get the same result without worrying about whether or not you just configured ntpd to ignore replies to its own servers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5303EA40.4050606>