NTP RestrictionsΒΆ
NTP restrictions control how NTP treats traffic from peers. The NTP Configuration Examples at the start of this section contains a good set of restrictions to use as a starting point.
These restrictions are configured using the restrict
command from within
config-ntp
mode.
- restrict (default|<fqdn>|<ip-prefix>|source):
This command enters
config-ntp-restrict
mode.The restriction is placed upon an address specified as:
- default:
The default restriction for any host.
- source:
Default restrictions for associated hosts.
- <fqdn>:
An address specified as an FQDN to be resolved using DNS.
- <prefix>:
An IPv4 or IPv6 network specification.
In
config-ntp-restrict
mode, the following settings control what hosts matching this restriction can do:- kod:
Sends a Kiss of Death packet to misbehaving clients. Only works when paired with the
limited
option.- limited:
Enforce rate limits on clients. This does not apply to queries from
ntpq
/ntpdc
or theshow ntp <x>
commands.- nomodify:
Allows clients to query read only server state information, but does not allow them to make changes.
- nopeer:
Deny unauthorized associations. When using a server entry in
pool
mode, this should be present in thedefault
restriction but not in thesource
restriction.- noquery:
Deny
ntpq
/ntpdc
/show ntp <x>
queries for NTP daemon information. Does not affect NTP acting as a time server.- noserve:
Disables time service. Still allows
ntpq
/ntpdc
/show ntp <x>
queries- notrap:
Decline mode 6 trap service to clients.