svn commit: r259974 - in stable: 10/etc 8/etc 9/etc

Xin LI delphij at FreeBSD.org
Fri Dec 27 23:09:41 UTC 2013 

Author: delphij
Date: Fri Dec 27 23:09:40 2013
New Revision: 259974
URL: http://svnweb.freebsd.org/changeset/base/259974

Log:
  MFC r259973:
  
  Tighten default restrictions for ntpd(8) server and provide a link
  to NTP access restriction documentation.

Modified:
  stable/10/etc/ntp.conf
Directory Properties:
  stable/10/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/8/etc/ntp.conf
  stable/9/etc/ntp.conf
Directory Properties:
  stable/8/etc/   (props changed)
  stable/9/etc/   (props changed)

Modified: stable/10/etc/ntp.conf
==============================================================================
--- stable/10/etc/ntp.conf	Fri Dec 27 23:06:15 2013	(r259973)
+++ stable/10/etc/ntp.conf	Fri Dec 27 23:09:40 2013	(r259974)
@@ -17,7 +17,7 @@
 # users with a static IP and good upstream NTP servers to add a server
 # to the pool. See http://www.pool.ntp.org/join.html if you are interested.
 #
-# The option `iburst' is used for faster initial synchronisation.
+# The option `iburst' is used for faster initial synchronization.
 #
 server 0.freebsd.pool.ntp.org iburst
 server 1.freebsd.pool.ntp.org iburst
@@ -35,21 +35,37 @@ server 2.freebsd.pool.ntp.org iburst
 # server 2.CC.pool.ntp.org iburst
 
 #
-# Security: Only accept NTP traffic from the following hosts.
-# The following configuration example only accepts traffic from the
-# above defined servers.
+# Security:
+#
+# By default, only allow time queries and block all other requests
+# from unauthenticated clients.
+#
+# See http://support.ntp.org/bin/view/Support/AccessRestrictions
+# for more information.
+#
+restrict default kod nomodify notrap nopeer noquery
+restrict -6 default kod nomodify notrap nopeer noquery
+#
+# Alternatively, the following rules would block all unauthorized access.
+#
+#restrict default ignore
+#restrict -6 default ignore
+#
+# In this case, all remote NTP time servers also need to be explicitly
+# allowed or they would not be able to exchange time information with
+# this server.
 #
 # Please note that this example doesn't work for the servers in
 # the pool.ntp.org domain since they return multiple A records.
-# (This is the reason that by default they are commented out)
 #
-#restrict default ignore
 #restrict 0.pool.ntp.org nomodify nopeer noquery notrap
 #restrict 1.pool.ntp.org nomodify nopeer noquery notrap
 #restrict 2.pool.ntp.org nomodify nopeer noquery notrap
-#restrict 127.0.0.1
-#restrict -6 ::1
-#restrict 127.127.1.0
+#
+# The following settings allow unrestricted access from the localhost
+restrict 127.0.0.1
+restrict -6 ::1
+restrict 127.127.1.0
 
 #
 # If a server loses sync with all upstream servers, NTP clients

More information about the svn-src-stable-10 mailing list