Manualshelf

HP-UX Internet Services Administrator's Guide (May 2010)

ManualsBrandsHP ManualsSoftwareHP-UX 11i v2 Networking Software
61626364656667686970
Table 4-6 Restrict Option Flags (continued)
EffectFlag
Provide time service, but do not form peer association.
nopeer
Do not use the host as a synchronization source.
notrust
A restriction list entry with no flags set leaves matching hosts unrestricted. A source
address of an incoming packet may match several entries in the restriction list. The
entry that matches the source address most specifically is the entry that is applied. For
example, consider the following restriction list entries:
restrict 193.100.0.0 mask 255.255.0.0 ignore
restrict 193.100.10.8
The first entry causes packets from source addresses on net 193.100 to be ignored.
However, packets from host 193.100.10.8 are unrestricted, as specified by the second
entry. The two restriction list entries effectively cause all packets from net 193.100 to
be ignored, with the exception of packets from host 193.100.10.8.
For blocking connections from all unauthorized hosts the following default restrict
clause is used:
restrict default ignore
This entry restricts all packets from all source addresses. If the above clause is used,
the following entry should be added for unrestricted access from local host.
restrict 127.0.0.1
The resultant entry in the /etc/ntp.conf file will look as follows:
restrict default ignore
restrict 127.0.0.1
The first entry restricts all packets while the second entry provides unrestricted access
from local host. The two restriction list entries effectively cause all packets to be ignored,
with the exception of packets from local host.
This implies that whenever ‘restrict default ignore’ is used, a restrict line for every
authorized server has to be added to the /etc/ntp.conf file.
The following are examples of restriction list entries for a local host with the address
193.100.100.7. These entries assume that ntpq requests to the local host can be made
only from the local host or the host with address 193.8.10.1, while the local host only
synchronizes to a time source on net 193.100.
#default entry - matches *all* source addresses
restrict default notrust nomodify
#trust for time, but do not allow ntpq requests
restrict 193.100.0.0 mask 255.255.0.0 nomodify noquery
#ignore time requests, but allow ntpq requests
restrict 193.8.10.1 noserve
Advanced NTP Topics 67