The restrict statement enables access control.

restrict address [mask numeric_mask] [flag]

address

If address is be entered in "decimal dotted notation" then it specifies the IP address of a network, a subnetwork or an individual host. If the mask clause is not specified, numeraddress refers to the IP address of a single host. Alternatively address can specify a host’s valid DNS name.

numeric_mask

numeric_mask must be entered in "decimal dotted notation" and must specify a subnet mask.
Default: 255.255.255.255

flag

The flag specification always implies a restriction on access rights. A restrict statement without the flag entry thus allows unrestricted access rights.

flag can have the following values (you will find a complete list, for example, in the HTML documentation supplied):

ignore

Packets arriving from hosts specified in the restrict statement are ignored. Neither ntpq/ntpdc queries nor time server polls are answered.

noserve

All NTP packets with a mode not equal to 6 or 7 are ignored. Time service isrejected, but ntpq/ntpdc queries are allowed.

notrust

The local ntpd daemon does not perform any synchronization due to NTP packets received from hosts specified in the restrict statement.

Example

# ntp.conf 
# 
# 
server   127.127.1.0               #own clock 
server   172.24.4.121 prefer       #time server 
server   172.25.24.12              #VM2 
server   172.25.109.118            #linux pc 
# 
# access control: 
# by default, ignore all packets 
# 
restrict default ignore 
# 
# don't trust servers on local net 
# 
restrict 172.25.0.0 mask 255.255.0.0 notrust 
# 
# the above defined servers are unrestricted 
# 
restrict 127.127.1.0               #own clock 
restrict 172.24.4.121              #time server 
restrict 172.25.24.12              #VM2 
restrict 172.25.109.118            #linux pc