From 2be76487f49ab11901f80405ecceda9ee8f7c157 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Thu, 8 Jan 2015 13:46:04 +0100 Subject: [PATCH] extend Readme for a simple client these restrictions are needed if you want to install an ntpd that only acts as a client 1) disable global acces 2) allow localhost completly (usefull for just in time config changes via cli) 3) allow minimal access to the source servers everything for IPv4 and IPv6 settings are based on http://support.ntp.org/bin/view/Support/AccessRestrictions more and more reflectd NTP attackes are commen on the internet, so it is pretty dangerous to install a simple client without these settings. I guess they could be usefull for other people. fix typo --- README.markdown | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.markdown b/README.markdown index 446c17441..4695a1ef5 100644 --- a/README.markdown +++ b/README.markdown @@ -67,6 +67,22 @@ class { '::ntp': } ``` +###I just want to install a client that can't be queried + +```puppet +class { '::ntp': + servers => ['ntp1.corp.com', 'ntp2.corp.com'], + restrict => [ + 'default ignore', + '-6 default ignore', + '127.0.0.1', + '-6 ::1', + 'ntp1.corp.com nomodify notrap nopeer noquery', + 'ntp1.corp.com nomodify notrap nopeer noquery' + ], +} +``` + ###I only want to listen on specific interfaces, not on 0.0.0.0 Restricting this is especially useful on Openstack nodes which may have numerous virtual interfaces.