Module Name: src
Committed By: apb
Date: Mon Jan 6 11:21:34 UTC 2014
Modified Files:
src/etc: ntp.conf
Log Message:
Add several "restrict" lines to the default ntp.conf, with comments.
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/etc/ntp.conf
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/etc/ntp.conf
diff -u src/etc/ntp.conf:1.15 src/etc/ntp.conf:1.16
--- src/etc/ntp.conf:1.15 Sat Dec 28 03:18:39 2013
+++ src/etc/ntp.conf Mon Jan 6 11:21:34 2014
@@ -1,4 +1,4 @@
-# $NetBSD: ntp.conf,v 1.15 2013/12/28 03:18:39 christos Exp $
+# $NetBSD: ntp.conf,v 1.16 2014/01/06 11:21:34 apb Exp $
#
# NetBSD default Network Time Protocol (NTP) configuration file for ntpd
@@ -36,6 +36,46 @@ mdnstries 0
# the following line
# enable mode7
+# Access control restrictions.
+# See /usr/share/doc/html/ntp/accopt.html for syntax.
+# See <http://support.ntp.org/bin/view/Support/AccessRestrictions> for advice.
+# Last match wins.
+#
+# Some of the more common keywords are:
+# ignore Deny packets of all kinds.
+# kod Send "kiss-o'-death" packets if clients exceed rate
+# limits.
+# nomodify Deny attempts to modify the state of the server via
+# ntpq or ntpdc queries.
+# noquery Deny all ntpq and ntpdc queries. Does not affect time
+# synchronisation.
+# nopeer Prevent establishing an new peer association.
+# Does not affect preconfigured peer associations.
+# Does not affect client/server time synchronisation.
+# noserve Deny all time synchronisation. Does not affect ntpq or
+# ntpdc queries.
+# notrap Deny the trap subset of the ntpdc control message protocol.
+# notrust Deny packets that are not cryptographically authenticated.
+#
+# By default, either deny everything, or allow client/server time exchange
+# but deny configuration changes, queries, and peer associations that were not
+# explicitly configured.
+# (Uncomment one of the following "restrict default" lines.)
+#
+#restrict default ignore
+restrict default kod nopeer noquery
+
+# Fewer restrictions for the local subnet.
+# (Uncomment and adjust as appropriate.)
+#
+#restrict 192.0.2.0 mask 255.255.255.0 kod nomodify notrap nopeer
+#restrict 2001:db8:: mask ffff:ffff:: kod nomodify notrap nopeer
+
+# No restrictions for localhost.
+#
+restrict 127.0.0.1
+restrict ::1
+
# Hereafter should be "server" or "peer" statements to configure other
# hosts to exchange NTP packets with. Peers should be selected in such
# a way that the network path to them is symmetric (that is, the series
@@ -56,9 +96,13 @@ mdnstries 0
# Ideally, you should select at least three other systems to talk NTP
# with, for an "what I tell you three times is true" effect.
#
+# A "restrict" line for each configured peer or server might be necessary,
+# if the "restrict default" settings are very restrictive. As a courtesy
+# to configured peers and servers, consider allowing them to query.
#peer an.ntp.peer.goes.here
#server an.ntp.server.goes.here
+#restrict an.ntp.server.goes.here nomodify notrap
# Public servers from the pool.ntp.org project. Volunteer's servers
# are dynamically assigned to the CNAMES below via DNS round-robin.
@@ -75,6 +119,10 @@ mdnstries 0
# to the NetBSD project.
server 0.netbsd.pool.ntp.org
+restrict 0.netbsd.pool.ntp.org nomodify notrap
server 1.netbsd.pool.ntp.org
+restrict 1.netbsd.pool.ntp.org nomodify notrap
server 2.netbsd.pool.ntp.org
+restrict 2.netbsd.pool.ntp.org nomodify notrap
server 3.netbsd.pool.ntp.org
+restrict 3.netbsd.pool.ntp.org nomodify notrap
