#
# allow to ask for time but nothing else. send a KissOfDeath to clients
# who abuse our service (see http://www.cis.udel.edu/~mills/ntp/html/rate.html)
#
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

#
# ntpq via localhost is ok
#
restrict 127.0.0.1

#
# allow more informative queries from private networks and don't see kod
# packets (assuming that's ok if our private lan abuses us)
#
restrict 10.0.0.0    mask 255.0.0.0   nomodify notrap nopeer
restrict 172.16.0.0  mask 255.240.0.0 nomodify notrap nopeer
restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap nopeer