diff --git a/ntpd/templates/ntp.conf.erb b/ntpd/templates/ntp.conf.erb
index 2c7bc3d..0be9cbf 100644
--- a/ntpd/templates/ntp.conf.erb
+++ b/ntpd/templates/ntp.conf.erb
@@ -1,10 +1,10 @@
-<% if is_virtual == "true" -%>
+<% if @is_virtual == "true" -%>
 # Don't mind if the virtualized clock appears to be behaving erratically.
 tinker panic 0
 
 <% end -%>
-# By default deny everything
-restrict default ignore
+# By default deny everything.
+restrict -4 default ignore
 restrict -6 default ignore
 
 # Local users may interrogate the ntp server more closely.
@@ -15,21 +15,22 @@ restrict ::1
 driftfile /var/lib/ntp/ntp.drift
 
 # Remote servers.
-<% ntp_server.each do |server| -%>
-restrict <%= server %> mask 255.255.255.255 nomodify notrap noquery
+<% @ntp_server.each do |server| -%>
 server <%= server %>
+restrict <%= server %> nomodify notrap nopeer noquery
 <% end -%>
-<% if is_virtual == "false" -%>
+<% if @is_virtual == "false" -%>
 
 # Undisciplined Local Clock. This is a fake driver intended for backup
 # and when no outside source of synchronized time is available.
 server 127.127.1.0
 fudge  127.127.1.0 stratum 10
 <% end -%>
-<% if has_variable?("ntp_client_networks") -%>
+<% if @ntp_client_networks -%>
 
 # Restrictions for clients using us as source.
-<%     ntp_client_networks.each do |net| -%>
-restrict <%= net.split("/")[0] %> mask <%= net.split("/")[1] %> nomodify notrap
-<%     end -%>
+<%   @ntp_client_networks.each do |net| -%>
+<%     addr, mask = net.split("/") -%>
+restrict <%= addr %> mask <%= mask %> nomodify notrap nopeer
+<%   end -%>
 <% end -%>