svn commit: r259973 - head/etc
Xin LI
delphij at FreeBSD.org
Fri Dec 27 23:06:16 UTC 2013
Author: delphij
Date: Fri Dec 27 23:06:15 2013
New Revision: 259973
URL: http://svnweb.freebsd.org/changeset/base/259973
Log:
Tighten default restrictions for ntpd(8) server and provide a link
to NTP access restriction documentation.
The new default restrictions would allow only time queries from a
remote system and will KoD all other requests, but still allow
localhost to do make all requests.
These restrictions are also recommended for all Internet-facing
public NTP servers.
This changeset is intended for an instant MFC to stable/10 and
releng/10.0.
Modified:
head/etc/ntp.conf
Modified: head/etc/ntp.conf
==============================================================================
--- head/etc/ntp.conf Fri Dec 27 23:00:56 2013 (r259972)
+++ head/etc/ntp.conf Fri Dec 27 23:06:15 2013 (r259973)
@@ -17,7 +17,7 @@
# users with a static IP and good upstream NTP servers to add a server
# to the pool. See http://www.pool.ntp.org/join.html if you are interested.
#
-# The option `iburst' is used for faster initial synchronisation.
+# The option `iburst' is used for faster initial synchronization.
#
server 0.freebsd.pool.ntp.org iburst
server 1.freebsd.pool.ntp.org iburst
@@ -35,21 +35,37 @@ server 2.freebsd.pool.ntp.org iburst
# server 2.CC.pool.ntp.org iburst
#
-# Security: Only accept NTP traffic from the following hosts.
-# The following configuration example only accepts traffic from the
-# above defined servers.
+# Security:
+#
+# By default, only allow time queries and block all other requests
+# from unauthenticated clients.
+#
+# See http://support.ntp.org/bin/view/Support/AccessRestrictions
+# for more information.
+#
+restrict default kod nomodify notrap nopeer noquery
+restrict -6 default kod nomodify notrap nopeer noquery
+#
+# Alternatively, the following rules would block all unauthorized access.
+#
+#restrict default ignore
+#restrict -6 default ignore
+#
+# In this case, all remote NTP time servers also need to be explicitly
+# allowed or they would not be able to exchange time information with
+# this server.
#
# Please note that this example doesn't work for the servers in
# the pool.ntp.org domain since they return multiple A records.
-# (This is the reason that by default they are commented out)
#
-#restrict default ignore
#restrict 0.pool.ntp.org nomodify nopeer noquery notrap
#restrict 1.pool.ntp.org nomodify nopeer noquery notrap
#restrict 2.pool.ntp.org nomodify nopeer noquery notrap
-#restrict 127.0.0.1
-#restrict -6 ::1
-#restrict 127.127.1.0
+#
+# The following settings allow unrestricted access from the localhost
+restrict 127.0.0.1
+restrict -6 ::1
+restrict 127.127.1.0
#
# If a server loses sync with all upstream servers, NTP clients
More information about the svn-src-all
mailing list