svn commit: r259973 - head/etc

Xin Li delphij at delphij.net
Sat Dec 28 01:27:10 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 12/27/13 15:16, Ian Lepore wrote:
> On Fri, 2013-12-27 at 23:06 +0000, Xin LI wrote:
>> Author: delphij Date: Fri Dec 27 23:06:15 2013 New Revision:
>> 259973 URL: http://svnweb.freebsd.org/changeset/base/259973
>> 
>> Log: Tighten default restrictions for ntpd(8) server and provide
>> a link to NTP access restriction documentation.
>> 
>> The new default restrictions would allow only time queries from
>> a remote system and will KoD all other requests, but still allow 
>> localhost to do make all requests.
>> 
>> These restrictions are also recommended for all Internet-facing 
>> public NTP servers.
>> 
>> This changeset is intended for an instant MFC to stable/10 and 
>> releng/10.0.
>> 
>> Modified: head/etc/ntp.conf
>> 
>> Modified: head/etc/ntp.conf 
>> ==============================================================================
>>
>> 
- --- head/etc/ntp.conf	Fri Dec 27 23:00:56 2013	(r259972)
>> +++ head/etc/ntp.conf	Fri Dec 27 23:06:15 2013	(r259973) @@ -17,7
>> +17,7 @@ # users with a static IP and good upstream NTP servers
>> to add a server # to the pool. See
>> http://www.pool.ntp.org/join.html if you are interested. # -# The
>> option `iburst' is used for faster initial synchronisation. +#
>> The option `iburst' is used for faster initial synchronization. 
>> # server 0.freebsd.pool.ntp.org iburst server
>> 1.freebsd.pool.ntp.org iburst @@ -35,21 +35,37 @@ server
>> 2.freebsd.pool.ntp.org iburst # server 2.CC.pool.ntp.org iburst
>> 
>> # -# Security: Only accept NTP traffic from the following hosts. 
>> -# The following configuration example only accepts traffic from
>> the -# above defined servers. +# Security: +# +# By default, only
>> allow time queries and block all other requests +# from
>> unauthenticated clients. +# +# See
>> http://support.ntp.org/bin/view/Support/AccessRestrictions +# for
>> more information. +# +restrict default kod nomodify notrap nopeer
>> noquery +restrict -6 default kod nomodify notrap nopeer noquery 
>> +# +# Alternatively, the following rules would block all
>> unauthorized access. +# +#restrict default ignore +#restrict -6
>> default ignore +# +# In this case, all remote NTP time servers
>> also need to be explicitly +# allowed or they would not be able
>> to exchange time information with +# this server. #
> 
> This comment is incorrect.  To quote the ntpd docs for nopeer:
> 
> Deny packets that might mobilize an association unless 
> authenticated. This includes broadcast, symmetric-active and 
> manycast server packets when a configured association does not 
> exist.
> 
> In other words, peer relationships which are explicitly configured
> in the ntp.conf file(s) are not affected, the nopeer option only
> prevents *packets* that would create a new peer association.
> 
>> # Please note that this example doesn't work for the servers in #
>> the pool.ntp.org domain since they return multiple A records. -#
>> (This is the reason that by default they are commented out) # 
>> -#restrict default ignore #restrict 0.pool.ntp.org nomodify
>> nopeer noquery notrap #restrict 1.pool.ntp.org nomodify nopeer
>> noquery notrap #restrict 2.pool.ntp.org nomodify nopeer noquery
>> notrap
> 
> The foregoing implies that these lines aren't needed.

I'm not sure if I get what you said.  Did you mean these restrict
lines are not needed when "restrict default ignore" is present?  (My
test suggests they are needed, this is also what the NTP documentation
said: a 'server' line needs a 'restrict' line when the default is set
to 'ignore').  Could you please use a patch to demonstrate how we can
improve the comment?

Cheers,
- -- 
Xin LI <delphij at delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSvijtAAoJEJW2GBstM+nsC/0QAJaylRKXg1qT/3hROFf6SDcV
ENMV7Pl7UJMTP75K3zc+o4awoW7+NdXj8CYOSD0FczRdWahVxcw8p2d6gKAjX/R8
py2eqlRThfgrWViTEyTQk7Xv53OuY+7YKQI1qJb6T7U4VXAoGx1Jyp+02x5UDP4J
UGWO20tRYuqsfZcUSfjRJZNRGn6OoxoHw+w+mLxlE7OA35XRNq/MwZnj7PEcuN3Q
Gel56zzpsQ8aLuWCAbQxfBuhGaIng8RsYzo6jY+bVwsTqNNHAkv1v1de4PeeUkTh
Gd+7Gsdq85EquaOyWfQg5HlQBVGDGVKop6kERrXdjzU1fk/iO+VfSyH6uX+VJFL5
Jc6ZQrVrhRDCcnsWodKqPfA0CvpxWwwkc0znBj0gGeEKv/KvzuLG8Djgyy8Do/s5
bUqC6JmWjiedXdtYR/q25pCQkbPQBWVjRpxlyOxAHaAfhYE2MysQh1aS3IN3keff
AnWjvKKDmHw1DByEc7HoWdmT30xdURzHW6LqFiaGbNF+nukTYft+k+ttZIrcAcs1
Th5eZ5qrJOXgwHOV55ZDAGmmT6szwTecKy7Tmu/lK+4W/Nsah2YPdQhtm9VQAMqK
Au/OiS1mHBhdioFVLPhAaVdG2MgqECmZs1mFk1rgf+pw1CCd2SIbEvV2KU+Wo5zZ
lMkNRhirF24XYcPLJdS6
=FfpA
-----END PGP SIGNATURE-----

More information about the svn-src-head mailing list