Don't try to use server-specific "restrict" settings; trunk
authorapb <apb@NetBSD.org>
Tue, 14 Jan 2014 13:23:46 +0000
branchtrunk
changeset 223809 d65359b0b3a9
parent 223808 1cedb109e6fc
child 223810 18787d6b1d1c
Don't try to use server-specific "restrict" settings; they do not work when the server is specified by domain name and the name is associated with multiple IP addresses. This also means that uncommenting "restrict default ignore" will not work, so remove the comments suggesting that. Also edit some other comments.
etc/ntp.conf
--- a/etc/ntp.conf	Tue Jan 14 11:32:35 2014 +0000
+++ b/etc/ntp.conf	Tue Jan 14 13:23:46 2014 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: ntp.conf,v 1.18 2014/01/06 11:26:06 apb Exp $
+# $NetBSD: ntp.conf,v 1.19 2014/01/14 13:23:46 apb Exp $
 #
 # NetBSD default Network Time Protocol (NTP) configuration file for ntpd
 
@@ -50,20 +50,18 @@
 #               ntpq or ntpdc queries.
 #   noquery     Deny all ntpq and ntpdc queries.  Does not affect time
 #               synchronisation.
-#   nopeer      Prevent establishing an new peer association.
-#               Does not affect preconfigured peer associations.
+#   nopeer      Prevent establishing new peer associations.
+#               Does not affect peers configured using "peer" lines.
 #               Does not affect client/server time synchronisation.
 #   noserve     Deny all time synchronisation.  Does not affect ntpq or
 #               ntpdc queries.
 #   notrap      Deny the trap subset of the ntpdc control message protocol.
 #   notrust     Deny packets that are not cryptographically authenticated.
 #
-# By default, either deny everything, or allow client/server time exchange
-# but deny configuration changes, queries, and peer associations that were not
-# explicitly configured.
-# (Uncomment one of the following "restrict default" lines.)
+# By default, allow client/server time exchange without prior
+# arrangement, but deny configuration changes, queries, and peer
+# associations that were not explicitly configured.
 #
-#restrict default ignore
 restrict default kod nopeer noquery
 
 # Fewer restrictions for the local subnet.
@@ -84,23 +82,18 @@
 # and <http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers>
 # for advice.
 #
-# Peers should be selected in such a way that the network path to them
-# is short, uncongested, and symmetric (that is, the series of links
-# and routers used to get to the peer is the same one that the peer
-# uses to get back).  The best place to start looking for NTP peers for
-# your system is within your own network, or at your Internet Service
-# Provider (ISP).
+# Peers or servers should be selected in such a way that the network
+# path to them is short, uncongested, and symmetric (that is, the series
+# of links and routers used to get to the peer is the same one that
+# the peer uses to get back).  The best place to start looking for NTP
+# peers for your system is within your own network, or at your Internet
+# Service Provider (ISP).
 #
 # Ideally, you should select at least three other systems to talk NTP
 # with, for an "what I tell you three times is true" effect.
-#
-# A "restrict" line for each configured peer or server might be necessary,
-# if the "restrict default" settings are very restrictive.  As a courtesy
-# to configured peers and servers, consider allowing them to query.
 
 #peer		an.ntp.peer.goes.here
 #server		an.ntp.server.goes.here
-#restrict	an.ntp.server.goes.here nomodify notrap
 
 # The pool.ntp.org project coordinates public time servers provided by
 # volunteers.  See <http://www.pool.ntp.org>.  The *.netbsd.pool.ntp.org
@@ -117,10 +110,6 @@
 #
 
 server		0.netbsd.pool.ntp.org
-restrict	0.netbsd.pool.ntp.org nomodify notrap
 server		1.netbsd.pool.ntp.org
-restrict	1.netbsd.pool.ntp.org nomodify notrap
 server		2.netbsd.pool.ntp.org
-restrict	2.netbsd.pool.ntp.org nomodify notrap
 server		3.netbsd.pool.ntp.org
-restrict	3.netbsd.pool.ntp.org nomodify notrap