diff options
| author | Xin LI <delphij@FreeBSD.org> | 2013-12-27 23:06:15 +0000 |
|---|---|---|
| committer | Xin LI <delphij@FreeBSD.org> | 2013-12-27 23:06:15 +0000 |
| commit | b2c730e0117e21ba01c93c6c6c20c79e2fccfaf3 (patch) | |
| tree | 52dcb5673ab1e84480df09ce1ab9e8a5774eb37b | |
| parent | fafe8844731a7de35caca35d737cdcda57e75ee5 (diff) | |
| download | src-b2c730e0117e21ba01c93c6c6c20c79e2fccfaf3.tar.gz src-b2c730e0117e21ba01c93c6c6c20c79e2fccfaf3.zip | |
Tighten default restrictions for ntpd(8) server and provide a link
to NTP access restriction documentation.
The new default restrictions would allow only time queries from a
remote system and will KoD all other requests, but still allow
localhost to do make all requests.
These restrictions are also recommended for all Internet-facing
public NTP servers.
This changeset is intended for an instant MFC to stable/10 and
releng/10.0.
Notes
Notes:
svn path=/head/; revision=259973
| -rw-r--r-- | etc/ntp.conf | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/etc/ntp.conf b/etc/ntp.conf index 0421e4c2213a..8419adf5c215 100644 --- a/etc/ntp.conf +++ b/etc/ntp.conf @@ -17,7 +17,7 @@ # users with a static IP and good upstream NTP servers to add a server # to the pool. See http://www.pool.ntp.org/join.html if you are interested. # -# The option `iburst' is used for faster initial synchronisation. +# The option `iburst' is used for faster initial synchronization. # server 0.freebsd.pool.ntp.org iburst server 1.freebsd.pool.ntp.org iburst @@ -35,21 +35,37 @@ server 2.freebsd.pool.ntp.org iburst # server 2.CC.pool.ntp.org iburst # -# Security: Only accept NTP traffic from the following hosts. -# The following configuration example only accepts traffic from the -# above defined servers. +# Security: +# +# By default, only allow time queries and block all other requests +# from unauthenticated clients. +# +# See http://support.ntp.org/bin/view/Support/AccessRestrictions +# for more information. +# +restrict default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery +# +# Alternatively, the following rules would block all unauthorized access. +# +#restrict default ignore +#restrict -6 default ignore +# +# In this case, all remote NTP time servers also need to be explicitly +# allowed or they would not be able to exchange time information with +# this server. # # Please note that this example doesn't work for the servers in # the pool.ntp.org domain since they return multiple A records. -# (This is the reason that by default they are commented out) # -#restrict default ignore #restrict 0.pool.ntp.org nomodify nopeer noquery notrap #restrict 1.pool.ntp.org nomodify nopeer noquery notrap #restrict 2.pool.ntp.org nomodify nopeer noquery notrap -#restrict 127.0.0.1 -#restrict -6 ::1 -#restrict 127.127.1.0 +# +# The following settings allow unrestricted access from the localhost +restrict 127.0.0.1 +restrict -6 ::1 +restrict 127.127.1.0 # # If a server loses sync with all upstream servers, NTP clients |