diff --git a/NEWS b/NEWS
index c7c6713f3110ef520585bea4d1f8ad88785d965a..da9f93bba31741bff5053a3a65656ff876b8c3e1 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,12 @@
+release/004.042 (2015-05-04)
+
+    [ntp] Remove obsolete host references from ntp.conf.  Also,
+    remove iptables rules allowing inbound ntp connections to
+    servers. (whm)
+    
+    [iptables] Remove obsolete fragments for ldap and AFS file
+    servers. (whm)
+    
 release/004.041 (2015-04-29)
 
     [portmap] Minor edit to insist that EL7 gets rpcbind, as does
diff --git a/files/iptables/fragments/afssvr b/files/iptables/fragments/afssvr
deleted file mode 100644
index d0b8d1a0eab0c4c950c6af336e52c066f78f03a6..0000000000000000000000000000000000000000
--- a/files/iptables/fragments/afssvr
+++ /dev/null
@@ -1,10 +0,0 @@
-# AFS file server iptables fragment
-# $Id: afssvr 14974 2009-04-22 01:15:53Z whm $
-
-# AFS client connections.
--A SUL -p udp -m udp --dport 7000 -j ACCEPT
--A SUL -p udp -m udp --dport 7005 -j ACCEPT
-
-# AFS bosserver connections from campus hosts.
--A SUL -s 171.64.0.0/255.252.0.0 -p udp -m udp --dport 7007 -j ACCEPT
--A SUL -s 204.63.224.0/21 -p udp -m udp --dport 7007 -j ACCEPT
diff --git a/files/iptables/fragments/afssvr-secure b/files/iptables/fragments/afssvr-secure
deleted file mode 100644
index 325cdef52182c1a5c3cbbdc34035598319a1cfcc..0000000000000000000000000000000000000000
--- a/files/iptables/fragments/afssvr-secure
+++ /dev/null
@@ -1,48 +0,0 @@
-# Secure AFS file server iptables fragment
-
-# AFS client connections allowed from the following:
-
-# VPN nets
--A SUL -s 171.66.16.0/20 -p udp -m udp --dport 7000 -j ACCEPT
--A SUL -s 171.66.16.0/20 -p udp -m udp --dport 7005 -j ACCEPT
-
-# afsdb servers
--A SUL -s 171.64.7.222 -p udp -m udp --dport 7000 -j ACCEPT
--A SUL -s 171.64.7.222 -p udp -m udp --dport 7005 -j ACCEPT
--A SUL -s 171.64.7.234 -p udp -m udp --dport 7000 -j ACCEPT
--A SUL -s 171.64.7.234 -p udp -m udp --dport 7005 -j ACCEPT
--A SUL -s 171.64.7.246 -p udp -m udp --dport 7000 -j ACCEPT
--A SUL -s 171.64.7.246 -p udp -m udp --dport 7005 -j ACCEPT
-
-# afs-backup servers
--A SUL -s 171.67.217.0/28 -p udp -m udp --dport 7000 -j ACCEPT
--A SUL -s 171.67.217.0/28 -p udp -m udp --dport 7005 -j ACCEPT
-
-# lsdb
--A SUL -s 171.67.218.36 -p udp -m udp --dport 7000 -j ACCEPT
--A SUL -s 171.67.218.36 -p udp -m udp --dport 7005 -j ACCEPT
-
-# filedrawers
--A SUL -s 171.67.218.226 -p udp -m udp --dport 7000 -j ACCEPT
--A SUL -s 171.67.218.226 -p udp -m udp --dport 7005 -j ACCEPT
--A SUL -s 171.67.218.227 -p udp -m udp --dport 7000 -j ACCEPT
--A SUL -s 171.67.218.227 -p udp -m udp --dport 7005 -j ACCEPT
-
-# tools3 and tools1
--A SUL -s 171.67.22.78 -p udp -m udp --dport 7005 -j ACCEPT
--A SUL -s 171.67.24.6  -p udp -m udp --dport 7005 -j ACCEPT
-
-# AFS bosserver connections from lsdb and luckdragon.
--A SUL -s 171.67.218.36 -p udp -m udp --dport 7007 -j ACCEPT
--A SUL -s 171.64.11.53 -p udp -m udp --dport 7007 -j ACCEPT
-
-# Nagios servers
--A SUL -s 171.67.22.78 -p udp -m udp --dport 7000 -j ACCEPT
--A SUL -s 171.67.22.78 -p udp -m udp --dport 7005 -j ACCEPT
--A SUL -s 171.67.22.78 -p udp -m udp --dport 7007 -j ACCEPT
--A SUL -s 171.67.16.36 -p udp -m udp --dport 7000 -j ACCEPT
--A SUL -s 171.67.16.36 -p udp -m udp --dport 7005 -j ACCEPT
--A SUL -s 171.67.16.36 -p udp -m udp --dport 7007 -j ACCEPT
--A SUL -s 171.67.217.112/28 -p udp -m udp --dport 7000 -j ACCEPT
--A SUL -s 171.67.217.112/28 -p udp -m udp --dport 7005 -j ACCEPT
--A SUL -s 171.67.217.112/28 -p udp -m udp --dport 7007 -j ACCEPT
diff --git a/files/iptables/fragments/ldap b/files/iptables/fragments/ldap
deleted file mode 100644
index 8cbd9e77fb635af4eaf6644ae6bef7c8d578f4b5..0000000000000000000000000000000000000000
--- a/files/iptables/fragments/ldap
+++ /dev/null
@@ -1,8 +0,0 @@
-# ldap iptables fragment
-# $Id: ldap 11350 2008-10-22 01:24:17Z whm $
-
-# slapd (from everywhere)
--A SUL -p tcp -m tcp --dport 389 --syn -j ACCEPT
-
-# bigip ldap-listener monitor
--A SUL -p tcp -m tcp --dport 8389 --syn -j ACCEPT
diff --git a/files/iptables/fragments/ldap-only b/files/iptables/fragments/ldap-only
deleted file mode 100644
index a3ab4b26482fa0ce01eaf874c998ef02c1092a2c..0000000000000000000000000000000000000000
--- a/files/iptables/fragments/ldap-only
+++ /dev/null
@@ -1,12 +0,0 @@
-# ldap-only iptables fragment
-
-# ldap firewall network
--A SUL -s 171.67.218.128/27 -p tcp -m tcp --dport 389 --syn -j ACCEPT
-
-# luckdragon
--A SUL -s 171.64.11.53/32 -p tcp -m tcp --dport 389 --syn -j ACCEPT
-
-# nagios
--A SUL -s 171.67.22.24/32 -p tcp -m tcp --dport 389 --syn -j ACCEPT
--A SUL -s 171.67.16.36/32 -p tcp -m tcp --dport 389 --syn -j ACCEPT
-
diff --git a/files/ntp/etc/ntp.conf b/files/ntp/etc/ntp.conf
index e6d9a02014ef17a6db9ccc7e0dd2153bddd1c10a..fa700d0e72222241192308c1d06809a59c8c42a3 100644
--- a/files/ntp/etc/ntp.conf
+++ b/files/ntp/etc/ntp.conf
@@ -9,11 +9,8 @@ server time-c.stanford.edu iburst
 # Save the clock drift.
 driftfile /var/lib/ntp/ntp.drift
 
-# Only talk to the network where the time servers are and to the Nagios
-# servers.
+# Only talk to the network where the time servers are.
 restrict 171.64.7.0 mask 255.255.255.0 nomodify
-restrict 171.67.16.36 nomodify
-restrict 171.67.22.24 nomodify
 restrict 204.63.224.64 mask 255.255.255.192 nomodify
 
 # Allow all settings from our localhost interface.
diff --git a/manifests/ntp.pp b/manifests/ntp.pp
index cf0fb3f7cadb0085501a5b3a3ba982a797e9ba15..c6a20fb94d4fead069c9ee37f405da5286730eb6 100644
--- a/manifests/ntp.pp
+++ b/manifests/ntp.pp
@@ -57,14 +57,6 @@ class base::ntp {
       }
     }
   }
-
-  # Open the firewall to allow NTP traffic from the monitoring servers.
-  base::iptables::rule { 'ntp':
-    description => 'Allow monitoring servers to check NTP status',
-    source      => [ '171.67.16.36', '171.67.22.24', '171.67.217.112/28' ],
-    protocol    => 'udp',
-    port        => 123,
-  }
 }
 
 # Required if the Nagios servers need to query ntpd.