From 1a8c48db002aaf1401b7b7550eef399dbcc408f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20M=E4kinen?= <tmakinen@foo.sh>
Date: Tue, 3 Jan 2012 15:53:07 +0200
Subject: [PATCH] Changed ntp config to more restrictive.

---
 ntpd/templates/ntp.conf.erb | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ntpd/templates/ntp.conf.erb b/ntpd/templates/ntp.conf.erb
index 51b2a9f..5ebd9e5 100644
--- a/ntpd/templates/ntp.conf.erb
+++ b/ntpd/templates/ntp.conf.erb
@@ -3,9 +3,9 @@
 tinker panic 0
 
 <% end -%>
-# By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery
-restrict -6 default kod notrap nomodify nopeer noquery
+# By default deny everything
+restrict default ignore
+restrict -6 default ignore
 
 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
@@ -16,6 +16,7 @@ driftfile /var/lib/ntp/ntp.drift
 
 # Remote servers.
 <% ntp_server.each do |server| -%>
+restrict <%= server %> mask 255.255.255.255 nomodify notrap noquery
 server <%= server %>
 <% end -%>
 <% if is_virtual == "false" -%>