svn commit: r259973 - head/etc

Ian Lepore ian at FreeBSD.org
Fri Dec 27 23:16:34 UTC 2013 

On Fri, 2013-12-27 at 23:06 +0000, Xin LI wrote:
> Author: delphij
> Date: Fri Dec 27 23:06:15 2013
> New Revision: 259973
> URL: http://svnweb.freebsd.org/changeset/base/259973
> 
> Log:
>   Tighten default restrictions for ntpd(8) server and provide a link
>   to NTP access restriction documentation.
>   
>   The new default restrictions would allow only time queries from a
>   remote system and will KoD all other requests, but still allow
>   localhost to do make all requests.
>   
>   These restrictions are also recommended for all Internet-facing
>   public NTP servers.
>   
>   This changeset is intended for an instant MFC to stable/10 and
>   releng/10.0.
> 
> Modified:
>   head/etc/ntp.conf
> 
> Modified: head/etc/ntp.conf
> ==============================================================================
> --- head/etc/ntp.conf	Fri Dec 27 23:00:56 2013	(r259972)
> +++ head/etc/ntp.conf	Fri Dec 27 23:06:15 2013	(r259973)
> @@ -17,7 +17,7 @@
>  # users with a static IP and good upstream NTP servers to add a server
>  # to the pool. See http://www.pool.ntp.org/join.html if you are interested.
>  #
> -# The option `iburst' is used for faster initial synchronisation.
> +# The option `iburst' is used for faster initial synchronization.
>  #
>  server 0.freebsd.pool.ntp.org iburst
>  server 1.freebsd.pool.ntp.org iburst
> @@ -35,21 +35,37 @@ server 2.freebsd.pool.ntp.org iburst
>  # server 2.CC.pool.ntp.org iburst
>  
>  #
> -# Security: Only accept NTP traffic from the following hosts.
> -# The following configuration example only accepts traffic from the
> -# above defined servers.
> +# Security:
> +#
> +# By default, only allow time queries and block all other requests
> +# from unauthenticated clients.
> +#
> +# See http://support.ntp.org/bin/view/Support/AccessRestrictions
> +# for more information.
> +#
> +restrict default kod nomodify notrap nopeer noquery
> +restrict -6 default kod nomodify notrap nopeer noquery
> +#
> +# Alternatively, the following rules would block all unauthorized access.
> +#
> +#restrict default ignore
> +#restrict -6 default ignore
> +#
> +# In this case, all remote NTP time servers also need to be explicitly
> +# allowed or they would not be able to exchange time information with
> +# this server.
>  #

This comment is incorrect.  To quote the ntpd docs for nopeer:

        Deny packets that might mobilize an association unless
        authenticated. This includes broadcast, symmetric-active and
        manycast server packets when a configured association does not
        exist.

In other words, peer relationships which are explicitly configured in
the ntp.conf file(s) are not affected, the nopeer option only prevents
*packets* that would create a new peer association.
        
>  # Please note that this example doesn't work for the servers in
>  # the pool.ntp.org domain since they return multiple A records.
> -# (This is the reason that by default they are commented out)
>  #
> -#restrict default ignore
>  #restrict 0.pool.ntp.org nomodify nopeer noquery notrap
>  #restrict 1.pool.ntp.org nomodify nopeer noquery notrap
>  #restrict 2.pool.ntp.org nomodify nopeer noquery notrap

The foregoing implies that these lines aren't needed.

> -#restrict 127.0.0.1
> -#restrict -6 ::1
> -#restrict 127.127.1.0
> +#
> +# The following settings allow unrestricted access from the localhost
> +restrict 127.0.0.1
> +restrict -6 ::1
> +restrict 127.127.1.0
>  
>  #
>  # If a server loses sync with all upstream servers, NTP clients

-- Ian

More information about the svn-src-head mailing list