NTP Restrictions

NTP restrictions control how NTP treats traffic from peers. The NTP Configuration Examples at the start of this section contains a good set of restrictions to use as a starting point.

These restrictions are configured using the restrict command from within config-ntp mode.

restrict (default|<fqdn>|<ip-prefix>|source):

This command enters config-ntp-restrict mode.

The restriction is placed upon an address specified as:

default:

The default restriction for any host.

source:

Default restrictions for associated hosts.

<fqdn>:

An address specified as an FQDN to be resolved using DNS.

<prefix>:

An IPv4 or IPv6 network specification.

In config-ntp-restrict mode, the following settings control what hosts matching this restriction can do:

kod:

Sends a Kiss of Death packet to misbehaving clients. Only works when paired with the limited option.

limited:

Enforce rate limits on clients. This does not apply to queries from ntpq/ntpdc or the show ntp <x> commands.

nomodify:

Allows clients to query read only server state information, but does not allow them to make changes.

nopeer:

Deny unauthorized associations. When using a server entry in pool mode, this should be present in the default restriction but not in the source restriction.

noquery:

Deny ntpq/ntpdc/show ntp <x> queries for NTP daemon information. Does not affect NTP acting as a time server.

noserve:

Disables time service. Still allows ntpq/ntpdc/show ntp <x> queries

notrap:

Decline mode 6 trap service to clients.