Module Name: src Committed By: apb Date: Mon Jan 6 11:21:34 UTC 2014
Modified Files: src/etc: ntp.conf Log Message: Add several "restrict" lines to the default ntp.conf, with comments. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/etc/ntp.conf Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/etc/ntp.conf diff -u src/etc/ntp.conf:1.15 src/etc/ntp.conf:1.16 --- src/etc/ntp.conf:1.15 Sat Dec 28 03:18:39 2013 +++ src/etc/ntp.conf Mon Jan 6 11:21:34 2014 @@ -1,4 +1,4 @@ -# $NetBSD: ntp.conf,v 1.15 2013/12/28 03:18:39 christos Exp $ +# $NetBSD: ntp.conf,v 1.16 2014/01/06 11:21:34 apb Exp $ # # NetBSD default Network Time Protocol (NTP) configuration file for ntpd @@ -36,6 +36,46 @@ mdnstries 0 # the following line # enable mode7 +# Access control restrictions. +# See /usr/share/doc/html/ntp/accopt.html for syntax. +# See <http://support.ntp.org/bin/view/Support/AccessRestrictions> for advice. +# Last match wins. +# +# Some of the more common keywords are: +# ignore Deny packets of all kinds. +# kod Send "kiss-o'-death" packets if clients exceed rate +# limits. +# nomodify Deny attempts to modify the state of the server via +# ntpq or ntpdc queries. +# noquery Deny all ntpq and ntpdc queries. Does not affect time +# synchronisation. +# nopeer Prevent establishing an new peer association. +# Does not affect preconfigured peer associations. +# Does not affect client/server time synchronisation. +# noserve Deny all time synchronisation. Does not affect ntpq or +# ntpdc queries. +# notrap Deny the trap subset of the ntpdc control message protocol. +# notrust Deny packets that are not cryptographically authenticated. +# +# By default, either deny everything, or allow client/server time exchange +# but deny configuration changes, queries, and peer associations that were not +# explicitly configured. +# (Uncomment one of the following "restrict default" lines.) +# +#restrict default ignore +restrict default kod nopeer noquery + +# Fewer restrictions for the local subnet. +# (Uncomment and adjust as appropriate.) +# +#restrict 192.0.2.0 mask 255.255.255.0 kod nomodify notrap nopeer +#restrict 2001:db8:: mask ffff:ffff:: kod nomodify notrap nopeer + +# No restrictions for localhost. +# +restrict 127.0.0.1 +restrict ::1 + # Hereafter should be "server" or "peer" statements to configure other # hosts to exchange NTP packets with. Peers should be selected in such # a way that the network path to them is symmetric (that is, the series @@ -56,9 +96,13 @@ mdnstries 0 # Ideally, you should select at least three other systems to talk NTP # with, for an "what I tell you three times is true" effect. # +# A "restrict" line for each configured peer or server might be necessary, +# if the "restrict default" settings are very restrictive. As a courtesy +# to configured peers and servers, consider allowing them to query. #peer an.ntp.peer.goes.here #server an.ntp.server.goes.here +#restrict an.ntp.server.goes.here nomodify notrap # Public servers from the pool.ntp.org project. Volunteer's servers # are dynamically assigned to the CNAMES below via DNS round-robin. @@ -75,6 +119,10 @@ mdnstries 0 # to the NetBSD project. server 0.netbsd.pool.ntp.org +restrict 0.netbsd.pool.ntp.org nomodify notrap server 1.netbsd.pool.ntp.org +restrict 1.netbsd.pool.ntp.org nomodify notrap server 2.netbsd.pool.ntp.org +restrict 2.netbsd.pool.ntp.org nomodify notrap server 3.netbsd.pool.ntp.org +restrict 3.netbsd.pool.ntp.org nomodify notrap