Semi-urgent: Disable NTP replies?
Darren Pilgrim
list_freebsd at bluerosetech.com
Tue Feb 18 23:18:24 UTC 2014
On 2/18/2014 3:08 PM, Ronald F. Guilmette wrote:
>
> OK, so I _partially_ answered my own question, just by doing what I should
> have done to begin with, i.e. perusing my current /etc/ntp.conf file.
>
[...]
> server 0.freebsd.pool.ntp.org iburst
> server 1.freebsd.pool.ntp.org iburst
> server 2.freebsd.pool.ntp.org iburst
[...]
> #restrict 0.pool.ntp.org nomodify nopeer noquery notrap
> #restrict 1.pool.ntp.org nomodify nopeer noquery notrap
> #restrict 2.pool.ntp.org nomodify nopeer noquery notrap
[...]
>
> Am I the only guy in the universe who has noticed that the specific host
> names in that lower (security) part do not match the ones in the upper
> part?
No.
> Is this going to be a problem?
Yes, because there's no guarantee 0.freebsd.pool and 0.pool will have
the same set of addresses. In fact, it's pretty much guaranteed they
will never have the same set since the vast majority of pool servers are
not running FreeBSD. You can use DNS names in restrict lines, but the
default configuration is only necessary because it includes the "ignore"
keyword in the default restrictions. If you instead use "kod nomodify
nopeer noquery notrap" or "nomodify nopeer noquery notrap" and a
firewall rule preventing unsolicited udp/123, you get the same result
without worrying about whether or not you just configured ntpd to ignore
replies to its own servers.
More information about the freebsd-questions
mailing list