restrict options

---

• From: kostecke@xxxxxxxxxxx (Steve Kostecke)
• Date: Mon, 11 Jul 2005 16:26:39 GMT

---

smb said:

>How can I configure ntp to ensure it only serves clients on my internal
>network, whilst at the same time allowing it to sync with external
>servers? Here's my ntp.conf:
>
>restrict default noquery nomodify noserve

You should not be using 'noserve' or 'ignore', for that matter, unless
you are prepared to list every single authorized client host/subnet and
remote time server BY IP ADDRESS.

>restrict 127.0.0.1
>restrict 192.168.0.0 mask 255.255.255.0 nomodify
>server ntp0.pipex.net
>server ntp1.pipex.net
>server ntp2.pipex.net
>driftfile /etc/ntp.drift
>logfile /var/log/ntp.log

>I thought this should work, but my machine can't sync with the external
>servers.

Try this:

# Administrivia
driftfile /etc/ntp.drift
logfile /var/log/ntp.log

# Default Restriction
restrict default ignore

# Authorized Clients
restrict 127.0.0.1
restrict 192.168.0.0 mask 255.255.255.0 nomodify

# Remote Time Servers (and their restrict lines)
server ntp0.pipex.net
restrict 158.43.128.33
server ntp1.pipex.net
restrict 158.43.128.66
server ntp2.pipex.net
restrict 158.43.192.66

>It works just fine if I comment out the restrict lines. I have a
>firewall/router,

Please take a look at http://ntp.isc.org/Support/AccessRestrictions

>but I have forwarded port 123 UDP to my machine.

By doing this you have made it possible for 'outsiders' to directly
contact your internal ntpd.

Your internal ntpd should be able to contact remote time servers through
your firewall/router without port forwarding, as long as port 123/UDP
is not blocked.

--
Steve Kostecke <kostecke@xxxxxxxxxxx>
NTP Public Services Project http://ntp.isc.org/
Public Key at http://ntp.isc.org/Users/SteveKostecke
_______________________________________________
questions mailing list
questions@xxxxxxxxxxxxxxxxx
https://lists.ntp.isc.org/mailman/listinfo/questions

.

---

• Follow-Ups:
  • Re: restrict options
    • From: smb

• References:
  • restrict options
    • From: smb

• Prev by Date: Re: restrict options
• Next by Date: restrict options
• Previous by thread: restrict options
• Next by thread: Re: restrict options
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Restrict Internet Access ... I understand that you want to restrict internet access for clients in your ... Run "gpmc.msc" and you are in the Group Policy Object Editor Window. ... (microsoft.public.windows.server.sbs) RE: Internet Explorer 5.x/6 ... I am looking for a way to restrict access to sites for some of my clients ... Is there a way to restrict Internet Explorer to a predefined list of hosts ... (Security-Basics) Re: strange client behavior ... I have two clients with identical ntp.conf files: ... restrict ntp.clarku.edu mask 255.255.255.255 nomodify notrap noquery ... RHAS 4 source files. ... (comp.protocols.time.ntp) RE: fake sender and Exchange 5.5 ... One thing you can do is to restrict who can send messages to distribution ... fake sender and Exchange 5.5 ... Hosts and clients that successfully ... (Focus-Microsoft) Re: Configuration files missing after make all ... You _MUST_ explicitly allow your remote time servers when you use ... "restrict default ignore". ... restrict 1 nopeer nomodify notrap ... (comp.protocols.time.ntp)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

newsgroups.derkeiler.com  > Archive  > Comp  > comp.protocols.time.ntp  > 2005-07