svn commit: r259973 - head/etc

Xin LI delphij at FreeBSD.org
Fri Dec 27 23:06:16 UTC 2013 

Author: delphij
Date: Fri Dec 27 23:06:15 2013
New Revision: 259973
URL: http://svnweb.freebsd.org/changeset/base/259973

Log:
  Tighten default restrictions for ntpd(8) server and provide a link
  to NTP access restriction documentation.
  
  The new default restrictions would allow only time queries from a
  remote system and will KoD all other requests, but still allow
  localhost to do make all requests.
  
  These restrictions are also recommended for all Internet-facing
  public NTP servers.
  
  This changeset is intended for an instant MFC to stable/10 and
  releng/10.0.

Modified:
  head/etc/ntp.conf

Modified: head/etc/ntp.conf
==============================================================================
--- head/etc/ntp.conf	Fri Dec 27 23:00:56 2013	(r259972)
+++ head/etc/ntp.conf	Fri Dec 27 23:06:15 2013	(r259973)
@@ -17,7 +17,7 @@
 # users with a static IP and good upstream NTP servers to add a server
 # to the pool. See http://www.pool.ntp.org/join.html if you are interested.
 #
-# The option `iburst' is used for faster initial synchronisation.
+# The option `iburst' is used for faster initial synchronization.
 #
 server 0.freebsd.pool.ntp.org iburst
 server 1.freebsd.pool.ntp.org iburst
@@ -35,21 +35,37 @@ server 2.freebsd.pool.ntp.org iburst
 # server 2.CC.pool.ntp.org iburst
 
 #
-# Security: Only accept NTP traffic from the following hosts.
-# The following configuration example only accepts traffic from the
-# above defined servers.
+# Security:
+#
+# By default, only allow time queries and block all other requests
+# from unauthenticated clients.
+#
+# See http://support.ntp.org/bin/view/Support/AccessRestrictions
+# for more information.
+#
+restrict default kod nomodify notrap nopeer noquery
+restrict -6 default kod nomodify notrap nopeer noquery
+#
+# Alternatively, the following rules would block all unauthorized access.
+#
+#restrict default ignore
+#restrict -6 default ignore
+#
+# In this case, all remote NTP time servers also need to be explicitly
+# allowed or they would not be able to exchange time information with
+# this server.
 #
 # Please note that this example doesn't work for the servers in
 # the pool.ntp.org domain since they return multiple A records.
-# (This is the reason that by default they are commented out)
 #
-#restrict default ignore
 #restrict 0.pool.ntp.org nomodify nopeer noquery notrap
 #restrict 1.pool.ntp.org nomodify nopeer noquery notrap
 #restrict 2.pool.ntp.org nomodify nopeer noquery notrap
-#restrict 127.0.0.1
-#restrict -6 ::1
-#restrict 127.127.1.0
+#
+# The following settings allow unrestricted access from the localhost
+restrict 127.0.0.1
+restrict -6 ::1
+restrict 127.127.1.0
 
 #
 # If a server loses sync with all upstream servers, NTP clients

More information about the svn-src-all mailing list