From owner-freebsd-questions@FreeBSD.ORG Tue Feb 18 23:18:24 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 478759DA for ; Tue, 18 Feb 2014 23:18:24 +0000 (UTC) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [IPv6:2607:fc50:1000:1f00::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 24B9E1210 for ; Tue, 18 Feb 2014 23:18:24 +0000 (UTC) Received: from chombo.houseloki.net (unknown [IPv6:2601:7:880:bd0:21c:c0ff:fe7f:96ee]) by luigi.brtsvcs.net (Postfix) with ESMTPSA id 74A632D4FD4; Tue, 18 Feb 2014 15:18:22 -0800 (PST) Received: from [IPv6:2601:7:880:bd0:4dc6:fe9a:fceb:5eeb] (unknown [IPv6:2601:7:880:bd0:4dc6:fe9a:fceb:5eeb]) by chombo.houseloki.net (Postfix) with ESMTPSA id 435C22FC; Tue, 18 Feb 2014 15:18:20 -0800 (PST) Message-ID: <5303EA40.4050606@bluerosetech.com> Date: Tue, 18 Feb 2014 15:18:24 -0800 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: "Ronald F. Guilmette" , freebsd-questions@freebsd.org Subject: Re: Semi-urgent: Disable NTP replies? References: <2657.1392764915@server1.tristatelogic.com> In-Reply-To: <2657.1392764915@server1.tristatelogic.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Feb 2014 23:18:24 -0000 On 2/18/2014 3:08 PM, Ronald F. Guilmette wrote: > > OK, so I _partially_ answered my own question, just by doing what I should > have done to begin with, i.e. perusing my current /etc/ntp.conf file. > [...] > server 0.freebsd.pool.ntp.org iburst > server 1.freebsd.pool.ntp.org iburst > server 2.freebsd.pool.ntp.org iburst [...] > #restrict 0.pool.ntp.org nomodify nopeer noquery notrap > #restrict 1.pool.ntp.org nomodify nopeer noquery notrap > #restrict 2.pool.ntp.org nomodify nopeer noquery notrap [...] > > Am I the only guy in the universe who has noticed that the specific host > names in that lower (security) part do not match the ones in the upper > part? No. > Is this going to be a problem? Yes, because there's no guarantee 0.freebsd.pool and 0.pool will have the same set of addresses. In fact, it's pretty much guaranteed they will never have the same set since the vast majority of pool servers are not running FreeBSD. You can use DNS names in restrict lines, but the default configuration is only necessary because it includes the "ignore" keyword in the default restrictions. If you instead use "kod nomodify nopeer noquery notrap" or "nomodify nopeer noquery notrap" and a firewall rule preventing unsolicited udp/123, you get the same result without worrying about whether or not you just configured ntpd to ignore replies to its own servers.