What's the best way to lockdown NTP on a Linux box (not in the pool). I don't want anyone to be able to query it, except my trusted subnet. And obviously it needs to fetch time from the pool. I have the following:
# Ignore everything restrict default ignore restrict -6 default ignore # Allow local trusted nets restrict x.x.x.x mask 255.255.255.0 restrict y.y.y.y mask 255.255.255.0 restrict 127.0.0.1 restrict -6 ::1 driftfile /var/lib/ntp/drift # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server 0.centos.pool.ntp.org server 1.centos.pool.ntp.org server 2.centos.pool.ntp.org This looks like it blocks the server's ability to talk outbound to its upstream servers? :ntpq -pn remote refid st t when poll reach delay offset jitter ============================================================================== 195.222.33.219 .INIT. 16 u - 64 0 0.000 0.000 0.000 149.20.68.17 .INIT. 16 u - 64 0 0.000 0.000 0.000 62.237.86.234 .INIT. 16 u - 64 0 0.000 0.000 0.000 -- Scott Baker - Canby Telcom System Administrator - RHCE - 503.266.8253 _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
