Module Name: src Committed By: bouyer Date: Mon Jan 6 19:24:42 UTC 2014
Modified Files: src/dist/ntp/ntpd [netbsd-5-2]: ntp_request.c src/etc [netbsd-5-2]: ntp.conf Log Message: etc/ntp.conf 1.16, 1.17, 1.18 via patch external/bsd/ntp/dist/ntpd/ntp_request.c patch Patch from ntp 4.2.7p404 to prevent an amplifier and DoS attack. Add several "restrict" lines to the default ntp.conf and improve comments [spz, ticket #1895] To generate a diff of this commit: cvs rdiff -u -r1.8.4.1 -r1.8.4.1.6.1 src/dist/ntp/ntpd/ntp_request.c cvs rdiff -u -r1.9 -r1.9.36.1 src/etc/ntp.conf Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/dist/ntp/ntpd/ntp_request.c diff -u src/dist/ntp/ntpd/ntp_request.c:1.8.4.1 src/dist/ntp/ntpd/ntp_request.c:1.8.4.1.6.1 --- src/dist/ntp/ntpd/ntp_request.c:1.8.4.1 Wed Dec 9 04:48:24 2009 +++ src/dist/ntp/ntpd/ntp_request.c Mon Jan 6 19:24:42 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: ntp_request.c,v 1.8.4.1 2009/12/09 04:48:24 snj Exp $ */ +/* $NetBSD: ntp_request.c,v 1.8.4.1.6.1 2014/01/06 19:24:42 bouyer Exp $ */ /* * ntp_request.c - respond to information requests @@ -84,8 +84,7 @@ static void do_resaddflags P((struct soc static void do_ressubflags P((struct sockaddr_storage *, struct interface *, struct req_pkt *)); static void do_unrestrict P((struct sockaddr_storage *, struct interface *, struct req_pkt *)); static void do_restrict P((struct sockaddr_storage *, struct interface *, struct req_pkt *, int)); -static void mon_getlist_0 P((struct sockaddr_storage *, struct interface *, struct req_pkt *)); -static void mon_getlist_1 P((struct sockaddr_storage *, struct interface *, struct req_pkt *)); +static void mon_getlist P((struct sockaddr_storage *, struct interface *, struct req_pkt *)); static void reset_stats P((struct sockaddr_storage *, struct interface *, struct req_pkt *)); static void reset_peer P((struct sockaddr_storage *, struct interface *, struct req_pkt *)); static void do_key_reread P((struct sockaddr_storage *, struct interface *, struct req_pkt *)); @@ -145,8 +144,8 @@ static struct req_proc ntp_codes[] = { sizeof(struct conf_restrict), do_ressubflags }, { REQ_UNRESTRICT, AUTH, v4sizeof(struct conf_restrict), sizeof(struct conf_restrict), do_unrestrict }, - { REQ_MON_GETLIST, NOAUTH, 0, 0, mon_getlist_0 }, - { REQ_MON_GETLIST_1, NOAUTH, 0, 0, mon_getlist_1 }, + { REQ_MON_GETLIST, NOAUTH, 0, 0, mon_getlist }, + { REQ_MON_GETLIST_1, NOAUTH, 0, 0, mon_getlist }, { REQ_RESET_STATS, AUTH, sizeof(struct reset_flags), 0, reset_stats }, { REQ_RESET_PEER, AUTH, v4sizeof(struct conf_unpeer), sizeof(struct conf_unpeer), reset_peer }, @@ -601,6 +600,9 @@ process_private( "process_private: failed auth mod_okay %d\n", mod_okay); #endif + if (!mod_okay) { + sys_restricted++; + } req_ack(srcadr, inter, inpkt, INFO_ERR_AUTH); return; } @@ -822,35 +824,42 @@ peer_info ( struct req_pkt *inpkt ) { - register struct info_peer_list *ipl; + struct info_peer_list ipl; register struct peer *pp; register struct info_peer *ip; register int items; + size_t item_sz; + char * datap; register int i, j; struct sockaddr_storage addr; extern struct peer *sys_peer; l_fp ltmp; - memset((char *)&addr, 0, sizeof addr); items = INFO_NITEMS(inpkt->err_nitems); - ipl = (struct info_peer_list *) inpkt->data; - + item_sz = INFO_ITEMSIZE(inpkt->mbz_itemsize); + datap = inpkt->data; + if (item_sz != sizeof(ipl)) { + req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + return; + } ip = (struct info_peer *)prepare_pkt(srcadr, inter, inpkt, v6sizeof(struct info_peer)); while (items-- > 0 && ip != 0) { + memset(&ipl,0,sizeof(ipl)); + memcpy(&ipl, datap, item_sz); memset((char *)&addr, 0, sizeof(addr)); - NSRCPORT(&addr) = ipl->port; - if (client_v6_capable && ipl->v6_flag != 0) { + NSRCPORT(&addr) = ipl.port; + if (client_v6_capable && ipl.v6_flag != 0) { addr.ss_family = AF_INET6; - GET_INADDR6(addr) = ipl->addr6; + GET_INADDR6(addr) = ipl.addr6; } else { addr.ss_family = AF_INET; - GET_INADDR(addr) = ipl->addr; + GET_INADDR(addr) = ipl.addr; } #ifdef HAVE_SA_LEN_IN_STRUCT_SOCKADDR addr.ss_len = SOCKLEN(&addr); #endif - ipl++; + datap += item_sz; if ((pp = findexistingpeer(&addr, (struct peer *)0, -1)) == 0) continue; if (pp->srcadr.ss_family == AF_INET6) { @@ -954,10 +963,12 @@ peer_stats ( struct req_pkt *inpkt ) { - register struct info_peer_list *ipl; + struct info_peer_list ipl; register struct peer *pp; register struct info_peer_stats *ip; register int items; + size_t item_sz; + char * datap; struct sockaddr_storage addr; extern struct peer *sys_peer; @@ -966,18 +977,25 @@ peer_stats ( printf("peer_stats: called\n"); #endif items = INFO_NITEMS(inpkt->err_nitems); - ipl = (struct info_peer_list *) inpkt->data; + item_sz = INFO_ITEMSIZE(inpkt->mbz_itemsize); + datap = inpkt->data; + if (item_sz > sizeof(ipl)) { + req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + return; + } ip = (struct info_peer_stats *)prepare_pkt(srcadr, inter, inpkt, v6sizeof(struct info_peer_stats)); while (items-- > 0 && ip != 0) { + memset(&ipl,0,sizeof(ipl)); + memcpy(&ipl, datap, item_sz); memset((char *)&addr, 0, sizeof(addr)); - NSRCPORT(&addr) = ipl->port; - if (client_v6_capable && ipl->v6_flag) { + NSRCPORT(&addr) = ipl.port; + if (client_v6_capable && ipl.v6_flag) { addr.ss_family = AF_INET6; - GET_INADDR6(addr) = ipl->addr6; + GET_INADDR6(addr) = ipl.addr6; } else { addr.ss_family = AF_INET; - GET_INADDR(addr) = ipl->addr; + GET_INADDR(addr) = ipl.addr; } #ifdef HAVE_SA_LEN_IN_STRUCT_SOCKADDR addr.ss_len = SOCKLEN(&addr); @@ -985,10 +1003,9 @@ peer_stats ( #ifdef DEBUG if (debug) printf("peer_stats: looking for %s, %d, %d\n", stoa(&addr), - ipl->port, ((struct sockaddr_in6 *)&addr)->sin6_port); + ipl.port, ((struct sockaddr_in6 *)&addr)->sin6_port); #endif - ipl = (struct info_peer_list *)((char *)ipl + - INFO_ITEMSIZE(inpkt->mbz_itemsize)); + datap += item_sz; if ((pp = findexistingpeer(&addr, (struct peer *)0, -1)) == 0) continue; @@ -1329,8 +1346,9 @@ do_conf( ) { int items; + size_t item_sz; + char * datap; u_int fl; - struct conf_peer *cp; struct conf_peer temp_cp; struct sockaddr_storage peeraddr; struct sockaddr_in tmp_clock; @@ -1341,39 +1359,16 @@ do_conf( * very picky here. */ items = INFO_NITEMS(inpkt->err_nitems); - cp = (struct conf_peer *)inpkt->data; - memset(&temp_cp, 0, sizeof(struct conf_peer)); - memcpy(&temp_cp, (char *)cp, INFO_ITEMSIZE(inpkt->mbz_itemsize)); - fl = 0; - while (items-- > 0 && !fl) { - if (((temp_cp.version) > NTP_VERSION) - || ((temp_cp.version) < NTP_OLDVERSION)) - fl = 1; - if (temp_cp.hmode != MODE_ACTIVE - && temp_cp.hmode != MODE_CLIENT - && temp_cp.hmode != MODE_BROADCAST) - fl = 1; - if (temp_cp.flags & ~(CONF_FLAG_AUTHENABLE | CONF_FLAG_PREFER - | CONF_FLAG_BURST | CONF_FLAG_IBURST | CONF_FLAG_SKEY)) - fl = 1; - cp = (struct conf_peer *) - ((char *)cp + INFO_ITEMSIZE(inpkt->mbz_itemsize)); - } - - if (fl) { + item_sz = INFO_ITEMSIZE(inpkt->mbz_itemsize); + datap = inpkt->data; + if (item_sz > sizeof(temp_cp)) { req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); return; } - /* - * Looks okay, try it out - */ - items = INFO_NITEMS(inpkt->err_nitems); - cp = (struct conf_peer *)inpkt->data; - while (items-- > 0) { memset(&temp_cp, 0, sizeof(struct conf_peer)); - memcpy(&temp_cp, (char *)cp, INFO_ITEMSIZE(inpkt->mbz_itemsize)); + memcpy(&temp_cp, datap, item_sz); memset((char *)&peeraddr, 0, sizeof(struct sockaddr_storage)); fl = 0; @@ -1421,8 +1416,7 @@ do_conf( req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA); return; } - cp = (struct conf_peer *) - ((char *)cp + INFO_ITEMSIZE(inpkt->mbz_itemsize)); + datap += item_sz; } req_ack(srcadr, inter, inpkt, INFO_OKAY); @@ -1535,9 +1529,10 @@ do_unconf( struct req_pkt *inpkt ) { - register struct conf_unpeer *cp; struct conf_unpeer temp_cp; register int items; + size_t item_sz; + char * datap; register struct peer *peer; struct sockaddr_storage peeraddr; int bad, found; @@ -1549,13 +1544,18 @@ do_unconf( * an error. */ items = INFO_NITEMS(inpkt->err_nitems); - cp = (struct conf_unpeer *)inpkt->data; + item_sz = INFO_ITEMSIZE(inpkt->mbz_itemsize); + datap = inpkt->data; + if (item_sz > sizeof(temp_cp)) { + req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + return; + } bad = 0; while (items-- > 0 && !bad) { memset(&temp_cp, 0, sizeof(temp_cp)); + memcpy(&temp_cp, datap, item_sz); memset(&peeraddr, 0, sizeof(peeraddr)); - memcpy(&temp_cp, cp, INFO_ITEMSIZE(inpkt->mbz_itemsize)); if (client_v6_capable && temp_cp.v6_flag != 0) { peeraddr.ss_family = AF_INET6; GET_INADDR6(peeraddr) = temp_cp.peeraddr6; @@ -1582,8 +1582,7 @@ do_unconf( } if (!found) bad = 1; - cp = (struct conf_unpeer *) - ((char *)cp + INFO_ITEMSIZE(inpkt->mbz_itemsize)); + datap = inpkt->data; } if (bad) { @@ -1596,11 +1595,12 @@ do_unconf( */ items = INFO_NITEMS(inpkt->err_nitems); - cp = (struct conf_unpeer *)inpkt->data; + datap = inpkt->data; + while (items-- > 0) { memset(&temp_cp, 0, sizeof(temp_cp)); + memcpy(&temp_cp, datap, item_sz); memset(&peeraddr, 0, sizeof(peeraddr)); - memcpy(&temp_cp, cp, INFO_ITEMSIZE(inpkt->mbz_itemsize)); if (client_v6_capable && temp_cp.v6_flag != 0) { peeraddr.ss_family = AF_INET6; GET_INADDR6(peeraddr) = temp_cp.peeraddr6; @@ -1613,8 +1613,7 @@ do_unconf( peeraddr.ss_len = SOCKLEN(&peeraddr); #endif peer_unconfig(&peeraddr, (struct interface *)0, -1); - cp = (struct conf_unpeer *) - ((char *)cp + INFO_ITEMSIZE(inpkt->mbz_itemsize)); + datap += item_sz; } req_ack(srcadr, inter, inpkt, INFO_OKAY); @@ -1815,8 +1814,10 @@ do_restrict( int op ) { - register struct conf_restrict *cr; + struct conf_restrict cr; register int items; + size_t item_sz; + char * datap; struct sockaddr_storage matchaddr; struct sockaddr_storage matchmask; int bad; @@ -1827,26 +1828,31 @@ do_restrict( * about it. Note we are very picky here. */ items = INFO_NITEMS(inpkt->err_nitems); - cr = (struct conf_restrict *)inpkt->data; + item_sz = INFO_ITEMSIZE(inpkt->mbz_itemsize); + datap = inpkt->data; + if (item_sz > sizeof(cr)) { + req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + return; + } bad = 0; - cr->flags = ntohs(cr->flags); - cr->mflags = ntohs(cr->mflags); while (items-- > 0 && !bad) { - if (cr->mflags & ~(RESM_NTPONLY)) + memcpy(&cr, datap, item_sz); + cr.flags = ntohs(cr.flags); + cr.mflags = ntohs(cr.mflags); + if (cr.mflags & ~(RESM_NTPONLY)) bad |= 1; - if (cr->flags & ~(RES_ALLFLAGS)) + if (cr.flags & ~(RES_ALLFLAGS)) bad |= 2; - if (cr->mask != htonl(INADDR_ANY)) { - if (client_v6_capable && cr->v6_flag != 0) { - if (IN6_IS_ADDR_UNSPECIFIED(&cr->addr6)) + if (cr.mask != htonl(INADDR_ANY)) { + if (client_v6_capable && cr.v6_flag != 0) { + if (IN6_IS_ADDR_UNSPECIFIED(&cr.addr6)) bad |= 4; } else - if (cr->addr == htonl(INADDR_ANY)) + if (cr.addr == htonl(INADDR_ANY)) bad |= 8; } - cr = (struct conf_restrict *)((char *)cr + - INFO_ITEMSIZE(inpkt->mbz_itemsize)); + datap += item_sz; } if (bad) { @@ -1859,25 +1865,28 @@ do_restrict( * Looks okay, try it out */ items = INFO_NITEMS(inpkt->err_nitems); - cr = (struct conf_restrict *)inpkt->data; memset((char *)&matchaddr, 0, sizeof(struct sockaddr_storage)); memset((char *)&matchmask, 0, sizeof(struct sockaddr_storage)); + datap = inpkt->data; while (items-- > 0) { - if (client_v6_capable && cr->v6_flag != 0) { - GET_INADDR6(matchaddr) = cr->addr6; - GET_INADDR6(matchmask) = cr->mask6; + memcpy(&cr, datap, item_sz); + cr.flags = ntohs(cr.flags); + cr.mflags = ntohs(cr.mflags); + if (client_v6_capable && cr.v6_flag != 0) { + GET_INADDR6(matchaddr) = cr.addr6; + GET_INADDR6(matchmask) = cr.mask6; matchaddr.ss_family = AF_INET6; matchmask.ss_family = AF_INET6; } else { - GET_INADDR(matchaddr) = cr->addr; - GET_INADDR(matchmask) = cr->mask; + GET_INADDR(matchaddr) = cr.addr; + GET_INADDR(matchmask) = cr.mask; matchaddr.ss_family = AF_INET; matchmask.ss_family = AF_INET; } - hack_restrict(op, &matchaddr, &matchmask, cr->mflags, - cr->flags); - cr++; + hack_restrict(op, &matchaddr, &matchmask, cr.mflags, + cr.flags); + datap += item_sz; } req_ack(srcadr, inter, inpkt, INFO_OKAY); @@ -1888,103 +1897,13 @@ do_restrict( * mon_getlist - return monitor data */ static void -mon_getlist_0( +mon_getlist( struct sockaddr_storage *srcadr, struct interface *inter, struct req_pkt *inpkt ) { - register struct info_monitor *im; - register struct mon_data *md; - extern struct mon_data mon_mru_list; - extern int mon_enabled; - -#ifdef DEBUG - if (debug > 2) - printf("wants monitor 0 list\n"); -#endif - if (!mon_enabled) { - req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA); - return; - } - im = (struct info_monitor *)prepare_pkt(srcadr, inter, inpkt, - v6sizeof(struct info_monitor)); - for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0; - md = md->mru_next) { - im->lasttime = htonl((u_int32)md->avg_interval); - im->firsttime = htonl((u_int32)(current_time - md->lasttime)); - im->lastdrop = htonl((u_int32)md->drop_count); - im->count = htonl((u_int32)(md->count)); - if (md->rmtadr.ss_family == AF_INET6) { - if (!client_v6_capable) - continue; - im->addr6 = GET_INADDR6(md->rmtadr); - im->v6_flag = 1; - } else { - im->addr = GET_INADDR(md->rmtadr); - if (client_v6_capable) - im->v6_flag = 0; - } - im->port = md->rmtport; - im->mode = md->mode; - im->version = md->version; - im = (struct info_monitor *)more_pkt(); - } - flush_pkt(); -} - -/* - * mon_getlist - return monitor data - */ -static void -mon_getlist_1( - struct sockaddr_storage *srcadr, - struct interface *inter, - struct req_pkt *inpkt - ) -{ - register struct info_monitor_1 *im; - register struct mon_data *md; - extern struct mon_data mon_mru_list; - extern int mon_enabled; - - if (!mon_enabled) { - req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA); - return; - } - im = (struct info_monitor_1 *)prepare_pkt(srcadr, inter, inpkt, - v6sizeof(struct info_monitor_1)); - for (md = mon_mru_list.mru_next; md != &mon_mru_list && im != 0; - md = md->mru_next) { - im->lasttime = htonl((u_int32)md->avg_interval); - im->firsttime = htonl((u_int32)(current_time - md->lasttime)); - im->lastdrop = htonl((u_int32)md->drop_count); - im->count = htonl((u_int32)md->count); - if (md->rmtadr.ss_family == AF_INET6) { - if (!client_v6_capable) - continue; - im->addr6 = GET_INADDR6(md->rmtadr); - im->v6_flag = 1; - im->daddr6 = GET_INADDR6(md->interface->sin); - } else { - im->addr = GET_INADDR(md->rmtadr); - if (client_v6_capable) - im->v6_flag = 0; - im->daddr = (md->cast_flags == MDF_BCAST) - ? GET_INADDR(md->interface->bcast) - : (md->cast_flags - ? (GET_INADDR(md->interface->sin) - ? GET_INADDR(md->interface->sin) - : GET_INADDR(md->interface->bcast)) - : 4); - } - im->flags = htonl(md->cast_flags); - im->port = md->rmtport; - im->mode = md->mode; - im->version = md->version; - im = (struct info_monitor_1 *)more_pkt(); - } - flush_pkt(); + req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA); } /* @@ -2053,8 +1972,10 @@ reset_peer( struct req_pkt *inpkt ) { - register struct conf_unpeer *cp; + struct conf_unpeer cp; register int items; + size_t item_sz; + char * datap; register struct peer *peer; struct sockaddr_storage peeraddr; int bad; @@ -2065,16 +1986,23 @@ reset_peer( */ items = INFO_NITEMS(inpkt->err_nitems); - cp = (struct conf_unpeer *)inpkt->data; + item_sz = INFO_ITEMSIZE(inpkt->mbz_itemsize); + datap = inpkt->data; + if (item_sz > sizeof(cp)) { + req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + return; + } bad = 0; while (items-- > 0 && !bad) { + memset(&cp,0,sizeof(cp)); + memcpy(&cp, datap, item_sz); memset((char *)&peeraddr, 0, sizeof(peeraddr)); - if (client_v6_capable && cp->v6_flag != 0) { - GET_INADDR6(peeraddr) = cp->peeraddr6; + if (client_v6_capable && cp.v6_flag != 0) { + GET_INADDR6(peeraddr) = cp.peeraddr6; peeraddr.ss_family = AF_INET6; } else { - GET_INADDR(peeraddr) = cp->peeraddr; + GET_INADDR(peeraddr) = cp.peeraddr; peeraddr.ss_family = AF_INET; } NSRCPORT(&peeraddr) = htons(NTP_PORT); @@ -2084,8 +2012,7 @@ reset_peer( peer = findexistingpeer(&peeraddr, (struct peer *)0, -1); if (peer == (struct peer *)0) bad++; - cp = (struct conf_unpeer *)((char *)cp + - INFO_ITEMSIZE(inpkt->mbz_itemsize)); + datap += item_sz; } if (bad) { @@ -2097,15 +2024,16 @@ reset_peer( * Now do it in earnest. */ - items = INFO_NITEMS(inpkt->err_nitems); - cp = (struct conf_unpeer *)inpkt->data; + datap = inpkt->data; while (items-- > 0) { + memset(&cp,0,sizeof(cp)); + memcpy(&cp, datap, item_sz); memset((char *)&peeraddr, 0, sizeof(peeraddr)); - if (client_v6_capable && cp->v6_flag != 0) { - GET_INADDR6(peeraddr) = cp->peeraddr6; + if (client_v6_capable && cp.v6_flag != 0) { + GET_INADDR6(peeraddr) = cp.peeraddr6; peeraddr.ss_family = AF_INET6; } else { - GET_INADDR(peeraddr) = cp->peeraddr; + GET_INADDR(peeraddr) = cp.peeraddr; peeraddr.ss_family = AF_INET; } #ifdef HAVE_SA_LEN_IN_STRUCT_SOCKADDR @@ -2116,8 +2044,7 @@ reset_peer( peer_reset(peer); peer = findexistingpeer(&peeraddr, (struct peer *)peer, -1); } - cp = (struct conf_unpeer *)((char *)cp + - INFO_ITEMSIZE(inpkt->mbz_itemsize)); + datap += item_sz; } req_ack(srcadr, inter, inpkt, INFO_OKAY); @@ -2836,7 +2763,7 @@ fill_info_if_stats(void *data, interface memcpy((char *)&ifs->unmask.addr, (char *)&CAST_V4(interface->mask)->sin_addr, sizeof(struct in_addr)); } ifs->v6_flag = htonl(ifs->v6_flag); - strcpy(ifs->name, interface->name); + strlcpy(ifs->name, interface->name, sizeof(ifs->name)); ifs->family = htons(interface->family); ifs->flags = htonl(interface->flags); ifs->last_ttl = htonl(interface->last_ttl); Index: src/etc/ntp.conf diff -u src/etc/ntp.conf:1.9 src/etc/ntp.conf:1.9.36.1 --- src/etc/ntp.conf:1.9 Sat Feb 10 19:36:56 2007 +++ src/etc/ntp.conf Mon Jan 6 19:24:42 2014 @@ -1,4 +1,4 @@ -# $NetBSD: ntp.conf,v 1.9 2007/02/10 19:36:56 reed Exp $ +# $NetBSD: ntp.conf,v 1.9.36.1 2014/01/06 19:24:42 bouyer Exp $ # # NetBSD default Network Time Protocol (NTP) configuration file for ntpd @@ -23,61 +23,96 @@ driftfile /var/db/ntp.drift logconfig -syncstatus -# This will help minimize disruptions due to network congestion. Don't +# Refuse to set the local clock if there are too few good peers or servers. +# This may help minimize disruptions due to network congestion. Don't # do this if you configure only one server! tos minsane 2 +# Access control restrictions. +# See /usr/share/doc/html/ntp/accopt.html for syntax. +# See <http://support.ntp.org/bin/view/Support/AccessRestrictions> for advice. +# Last match wins. +# +# Some of the more common keywords are: +# ignore Deny packets of all kinds. +# kod Send "kiss-o'-death" packets if clients exceed rate +# limits. +# nomodify Deny attempts to modify the state of the server via +# ntpq or ntpdc queries. +# noquery Deny all ntpq and ntpdc queries. Does not affect time +# synchronisation. +# nopeer Prevent establishing an new peer association. +# Does not affect preconfigured peer associations. +# Does not affect client/server time synchronisation. +# noserve Deny all time synchronisation. Does not affect ntpq or +# ntpdc queries. +# notrap Deny the trap subset of the ntpdc control message protocol. +# notrust Deny packets that are not cryptographically authenticated. +# +# By default, either deny everything, or allow client/server time exchange +# but deny configuration changes, queries, and peer associations that were not +# explicitly configured. +# (Uncomment one of the following "restrict default" lines.) +# +#restrict default ignore +restrict default kod nopeer noquery + +# Fewer restrictions for the local subnet. +# (Uncomment and adjust as appropriate.) +# +#restrict 192.0.2.0 mask 255.255.255.0 kod nomodify notrap nopeer +#restrict 2001:db8:: mask ffff:ffff:: kod nomodify notrap nopeer + +# No restrictions for localhost. +# +restrict 127.0.0.1 +restrict ::1 + # Hereafter should be "server" or "peer" statements to configure other -# hosts to exchange NTP packets with. Peers should be selected in such -# a way that the network path to them is symmetric (that is, the series -# of links and routers used to get to the peer is the same one that the -# peer uses to get back. NTP assumes such symmetry in its network delay -# calculation. NTP will apply an incorrect adjustment to timestamps -# received from the peer if the path is not symmetric. This can result -# in clock skew (your system clock being maintained consistently wrong -# by a certain amount). -# -# The best way to select symmetric peers is to make sure that the -# network path to them is as short as possible (this reduces the chance -# that there is more than one network path between you and your peer). -# You can measure these distances with the traceroute(8) program. The -# best place to start looking for NTP peers for your system is within -# your own network, or at your Internet Service Provider (ISP). +# hosts to exchange NTP packets with. +# +# See <http://support.ntp.org/bin/view/Support/DesigningYourNTPNetwork> +# and <http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers> +# for advice. +# +# Peers should be selected in such a way that the network path to them +# is short, uncongested, and symmetric (that is, the series of links +# and routers used to get to the peer is the same one that the peer +# uses to get back). The best place to start looking for NTP peers for +# your system is within your own network, or at your Internet Service +# Provider (ISP). # # Ideally, you should select at least three other systems to talk NTP # with, for an "what I tell you three times is true" effect. # +# A "restrict" line for each configured peer or server might be necessary, +# if the "restrict default" settings are very restrictive. As a courtesy +# to configured peers and servers, consider allowing them to query. #peer an.ntp.peer.goes.here #server an.ntp.server.goes.here +#restrict an.ntp.server.goes.here nomodify notrap -# Public servers from the pool.ntp.org project. Volunteer's servers -# are dynamically assigned to the CNAMES below via DNS round-robin. +# The pool.ntp.org project coordinates public time servers provided by +# volunteers. See <http://www.pool.ntp.org>. The *.netbsd.pool.ntp.org +# servers are intended to be used by default on NetBSD hosts, but +# servers that are closer to you are likely to be better. Consider +# using servers specific to your country, a nearby country, or your +# continent. +# # The pool.ntp.org project needs more volunteers! The only criteria to # join are a nailed-up connection and a static IP address. For details, # see the web page: # -# http://www.pool.ntp.org/ +# http://www.pool.ntp.org/join.html # -# The country codes can help you find servers that are net-wise close. -# As explained above, closer is better... - -# Northern U.S.A -#server ca.pool.ntp.org -#server us.pool.ntp.org -#server us.pool.ntp.org - -# Northern Europe -#server de.pool.ntp.org -#server de.pool.ntp.org -#server dk.pool.ntp.org - -# Depending on the vagaries of DNS can occasionally pull in the same -# server twice. The following CNAMES are guaranteed to be disjoint, at -# least over some short interval. - -server 0.pool.ntp.org -server 1.pool.ntp.org -server 2.pool.ntp.org +server 0.netbsd.pool.ntp.org +restrict 0.netbsd.pool.ntp.org nomodify notrap +server 1.netbsd.pool.ntp.org +restrict 1.netbsd.pool.ntp.org nomodify notrap +server 2.netbsd.pool.ntp.org +restrict 2.netbsd.pool.ntp.org nomodify notrap +server 3.netbsd.pool.ntp.org +restrict 3.netbsd.pool.ntp.org nomodify notrap