Add several "restrict" lines to the default ntp.conf, with comments. trunk
authorapb <apb@NetBSD.org>
Mon, 06 Jan 2014 11:21:34 +0000
branchtrunk
changeset 223627 4af71b9bb8a3
parent 223626 aa2031fb499f
child 223628 0576b062a67c
Add several "restrict" lines to the default ntp.conf, with comments.
etc/ntp.conf
--- a/etc/ntp.conf	Mon Jan 06 11:03:25 2014 +0000
+++ b/etc/ntp.conf	Mon Jan 06 11:21:34 2014 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: ntp.conf,v 1.15 2013/12/28 03:18:39 christos Exp $
+# $NetBSD: ntp.conf,v 1.16 2014/01/06 11:21:34 apb Exp $
 #
 # NetBSD default Network Time Protocol (NTP) configuration file for ntpd
 
@@ -36,6 +36,46 @@
 # the following line
 # enable mode7
 
+# Access control restrictions.
+# See /usr/share/doc/html/ntp/accopt.html for syntax.
+# See <http://support.ntp.org/bin/view/Support/AccessRestrictions> for advice.
+# Last match wins.
+#
+# Some of the more common keywords are:
+#   ignore      Deny packets of all kinds.
+#   kod         Send "kiss-o'-death" packets if clients exceed rate
+#               limits.
+#   nomodify    Deny attempts to modify the state of the server via
+#               ntpq or ntpdc queries.
+#   noquery     Deny all ntpq and ntpdc queries.  Does not affect time
+#               synchronisation.
+#   nopeer      Prevent establishing an new peer association.
+#               Does not affect preconfigured peer associations.
+#               Does not affect client/server time synchronisation.
+#   noserve     Deny all time synchronisation.  Does not affect ntpq or
+#               ntpdc queries.
+#   notrap      Deny the trap subset of the ntpdc control message protocol.
+#   notrust     Deny packets that are not cryptographically authenticated.
+#
+# By default, either deny everything, or allow client/server time exchange
+# but deny configuration changes, queries, and peer associations that were not
+# explicitly configured.
+# (Uncomment one of the following "restrict default" lines.)
+#
+#restrict default ignore
+restrict default kod nopeer noquery
+
+# Fewer restrictions for the local subnet.
+# (Uncomment and adjust as appropriate.)
+#
+#restrict 192.0.2.0 mask 255.255.255.0 kod nomodify notrap nopeer
+#restrict 2001:db8:: mask ffff:ffff::  kod nomodify notrap nopeer
+
+# No restrictions for localhost.
+#
+restrict 127.0.0.1
+restrict ::1
+
 # Hereafter should be "server" or "peer" statements to configure other
 # hosts to exchange NTP packets with. Peers should be selected in such
 # a way that the network path to them is symmetric (that is, the series
@@ -56,9 +96,13 @@
 # Ideally, you should select at least three other systems to talk NTP
 # with, for an "what I tell you three times is true" effect.
 #
+# A "restrict" line for each configured peer or server might be necessary,
+# if the "restrict default" settings are very restrictive.  As a courtesy
+# to configured peers and servers, consider allowing them to query.
 
 #peer		an.ntp.peer.goes.here
 #server		an.ntp.server.goes.here
+#restrict	an.ntp.server.goes.here nomodify notrap
 
 # Public servers from the pool.ntp.org project. Volunteer's servers
 # are dynamically assigned to the CNAMES below via DNS round-robin.
@@ -75,6 +119,10 @@
 # to the NetBSD project.
 
 server		0.netbsd.pool.ntp.org
+restrict	0.netbsd.pool.ntp.org nomodify notrap
 server		1.netbsd.pool.ntp.org
+restrict	1.netbsd.pool.ntp.org nomodify notrap
 server		2.netbsd.pool.ntp.org
+restrict	2.netbsd.pool.ntp.org nomodify notrap
 server		3.netbsd.pool.ntp.org
+restrict	3.netbsd.pool.ntp.org nomodify notrap