From owner-freebsd-questions@FreeBSD.ORG Tue Feb 18 23:08:36 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6C4AD5D6 for ; Tue, 18 Feb 2014 23:08:36 +0000 (UTC) Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 4E28D111F for ; Tue, 18 Feb 2014 23:08:35 +0000 (UTC) Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1]) by segfault.tristatelogic.com (Postfix) with ESMTP id 916AF3AD93 for ; Tue, 18 Feb 2014 15:08:35 -0800 (PST) From: "Ronald F. Guilmette" To: freebsd-questions@freebsd.org Subject: Re: Semi-urgent: Disable NTP replies? Date: Tue, 18 Feb 2014 15:08:35 -0800 Message-ID: <2657.1392764915@server1.tristatelogic.com> X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Feb 2014 23:08:36 -0000 OK, so I _partially_ answered my own question, just by doing what I should have done to begin with, i.e. perusing my current /etc/ntp.conf file. It contains the following, but this STILL doesn't really answer my question: ========================================================================== ... # The following three servers will give you a random set of three # NTP servers geographically close to you. # See http://www.pool.ntp.org/ for details. Note, the pool encourages # users with a static IP and good upstream NTP servers to add a server # to the pool. See http://www.pool.ntp.org/join.html if you are interested. # # The option `iburst' is used for faster initial synchronisation. # server 0.freebsd.pool.ntp.org iburst server 1.freebsd.pool.ntp.org iburst server 2.freebsd.pool.ntp.org iburst ... # Security: Only accept NTP traffic from the following hosts. # The following configuration example only accepts traffic from the # above defined servers. # # Please note that this example doesn't work for the servers in # the pool.ntp.org domain since they return multiple A records. # (This is the reason that by default they are commented out) # #restrict default ignore #restrict 0.pool.ntp.org nomodify nopeer noquery notrap #restrict 1.pool.ntp.org nomodify nopeer noquery notrap #restrict 2.pool.ntp.org nomodify nopeer noquery notrap #restrict 127.0.0.1 #restrict -6 ::1 #restrict 127.127.1.0 ... ========================================================================== OK, good. So I have a way of telling ntpd not to accept queries from anyplace other than a set of specific hosts... which can be specified either by name or by IP address. That's swell, HOWEVER... Am I the only guy in the universe who has noticed that the specific host names in that lower (security) part do not match the ones in the upper part? Is this going to be a problem? Should I uncomment that whole "security" section AND also change the specific host names mentioned in there so that the match the ones above... you know... the names of the actual servers that I am drawing time data from?