Installing and Administering Internet Services
224 Chapter 7
Configuring NTP
Configuration
Table 7-1 Restrict Option Flags
A restriction list entry with no flags set leaves matching hosts
unrestricted. A source address of an incoming packet may match several
entries in the restriction list. The entry that matches the source address
most specifically is the entry that is applied. For example, consider the
following restriction list entries:
restrict 193.100.0.0 mask 255.255.0.0 ignore
restrict 193.100.10.8
The first entry causes packets from source addresses on net 193.100 to be
ignored. However, packets from host 193.100.10.8 are unrestricted, as
specified by the second entry. The two restriction list entries effectively
cause all packets from net 193.100 to be ignored, with the exception of
packets from host 193.100.10.8.
The following are examples of restriction list entries for a local host with
the address 193.100.100.7. These entries assume that ntpq requests to
the local host can be made only from the local host or the host with
address 193.8.10.1, while the local host only synchronizes to a time
source on net 193.100.
#default entry - matches *all* source addresses
restrict default notrust nomodify
#trust for time, but do not allow ntpq requests
restrict 193.100.0.0 mask 255.255.0.0 nomodify noquery
#ignore time requests, but allow ntpq requests
restrict 193.8.10.1 noserve
Flag Effect
ignore Ignore all packets.
noquery Ignore ntpq queries.
nomodify Ignore ntpq packets that attempt to modify the
state of the server.
noserve Ignore requests for time, but permit ntpq queries.
nopeer Provide time service, but do not form peer
association.
notrust Do not use the host as a synchronization source.