Date: Fri, 13 Apr 2001 14:28:56 -0700 From: Steve Reid <sreid@sea-to-sky.net> To: Drew Derbyshire <software@kew.com> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd Message-ID: <20010413142855.B88148@grok.bc.hsia.telus.net> In-Reply-To: <004601c0c412$4ea81e70$94cba8c0@hh.kew.com>; from Drew Derbyshire on Fri, Apr 13, 2001 at 08:07:27AM -0400 References: <200104122058.f3CKwLe45352@freefall.freebsd.org> <20010413000659.A88148@grok.bc.hsia.telus.net> <004601c0c412$4ea81e70$94cba8c0@hh.kew.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 13, 2001 at 08:07:27AM -0400, Drew Derbyshire wrote:
> If you are using restrict, why not a simple ignore on the restrict?
Because I wasn't sure it would work properly. From the ntp.conf man
page:
ignore Ignore all packets from hosts which match this entry. If
this flag is specified neither queries nor time server
polls will be responded to.
This is why I don't grok ntp configuration. It says "Ignore all
packets". To me that means ignore all packets - including responses to
the queries that we send out. But it then explicitly lists "neither
queries nor time server polls", which doesn't sound like "all packets",
and so I am confused.
I used "noquery nomodify notrap nopeer" because it looked like they
would block off all unnecessary functionality while still allowing
responses to the queries we send out.
> Was this a recent addition to the configuration? (It is in the
> version shipped with FreeBSD 4.1)
As far as I can remember, 4.1 does not include any ntp.conf file at
all. This kind of makes sense, as NTP users are supposed to pick time
servers near to them.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010413142855.B88148>