freebsd-dev/contrib/ntp/html/accopt.htm

<HTML>
<HEAD>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.01 [en] (Win95; I) [Netscape]">
   <TITLE>Access Control Options
</TITLE>
</HEAD>
<BODY>

<H3>
Access Control Options</H3>

<HR>
<H4>
Access Control Support</H4>
<TT>ntpd</TT> implements a general purpose address-and-mask based restriction
list. The list is sorted by address and by mask, and the list is searched
in this order for matches, with the last match found defining the restriction
flags associated with the incoming packets. The source address of incoming
packets is used for the match, with the 32-bit address being and'ed with
the mask associated with the restriction entry and then compared with the
entry's address (which has also been and'ed with the mask) to look for
a match. Additional information and examples can be found in the <A HREF="notes.htm">Notes
on Configuring NTP and Setting up a NTP Subnet </A>page.

<P>The restriction facility was implemented in conformance with the access
policies for the original NSFnet backbone time servers. While this facility
may be otherwise useful for keeping unwanted or broken remote time servers
from affecting your own, it should not be considered an alternative to
the standard NTP authentication facility. Source address based restrictions
are easily circumvented by a determined cracker.
<H4>
Access Control Commands</H4>

<DL>
<DT>
<TT>restrict <I>numeric_address</I> [mask <I>numeric_mask</I>] [<I>flag</I>]
[...]</TT></DT>

<DD>
The <I><TT>numeric_address</TT></I> argument, expressed in dotted-quad
form, is the address of an host or network. The <I><TT>mask</TT></I> argument,
also expressed in dotted-quad form, defaults to <TT>255.255.255.255</TT>,
meaning that the <I><TT>numeric_address</TT></I> is treated as the address
of an individual host. A default entry (address <TT>0.0.0.0</TT>, mask
<TT>0.0.0.0</TT>) is always included and, given the sort algorithm, is
always the first entry in the list. Note that, while <I><TT>numeric_address</TT></I>
is normally given in dotted-quad format, the text string <TT>default</TT>,
with no mask option, may be used to indicate the default entry.</DD>

<DD>
In the current implementation, <I><TT>flag</TT></I> always restricts access,
i.e., an entry with no flags indicates that free access to the server is
to be given. The flags are not orthogonal, in that more restrictive flags
will often make less restrictive ones redundant. The flags can generally
be classed into two catagories, those which restrict time service and those
which restrict informational queries and attempts to do run-time reconfiguration
of the server. One or more of the following flags may be specified:</DD>

<DD>
&nbsp;</DD>

<DL>
<DT>
<TT>ignore</TT></DT>

<DD>
Ignore all packets from hosts which match this entry. If this flag is specified
neither queries nor time server polls will be responded to.</DD>

<DD>
&nbsp;</DD>

<DT>
<TT>noquery</TT></DT>

<DD>
Ignore all NTP mode 6 and 7 packets (i.e. information queries and configuration
requests) from the source. Time service is not affected.</DD>

<DD>
&nbsp;</DD>

<DT>
<TT>nomodify</TT></DT>

<DD>
Ignore all NTP mode 6 and 7 packets which attempt to modify the state of
the server (i.e. run time reconfiguration). Queries which return information
are permitted.</DD>

<DD>
&nbsp;</DD>

<DT>
<TT>notrap</TT></DT>

<DD>
Decline to provide mode 6 control message trap service to matching hosts.
The trap service is a subsystem of the mode 6 control message protocol
which is intended for use by remote event logging programs.</DD>

<DD>
&nbsp;</DD>

<DT>
<TT>lowpriotrap</TT></DT>

<DD>
Declare traps set by matching hosts to be low priority. The number of traps
a server can maintain is limited (the current limit is 3). Traps are usually
assigned on a first come, first served basis, with later trap requestors
being denied service. This flag modifies the assignment algorithm by allowing
low priority traps to be overridden by later requests for normal priority
traps.</DD>

<DD>
&nbsp;</DD>

<DT>
<TT>noserve</TT></DT>

<DD>
Ignore NTP packets whose mode is other than 6 or 7. In effect, time service
is denied, though queries may still be permitted.</DD>

<DD>
&nbsp;</DD>

<DT>
<TT>nopeer</TT></DT>

<DD>
Provide stateless time service to polling hosts, but do not allocate peer
memory resources to these hosts even if they otherwise might be considered
useful as future synchronization partners.</DD>

<DD>
&nbsp;</DD>

<DT>
<TT>notrust</TT></DT>

<DD>
Treat these hosts normally in other respects, but never use them as synchronization
sources.</DD>

<DD>
&nbsp;</DD>

<DT>
<TT>limited</TT></DT>

<DD>
These hosts are subject to limitation of number of clients from the same
net. Net in this context refers to the IP notion of net (class A, class
B, class C, etc.). Only the first <TT>client_limit</TT> hosts that have
shown up at the server and that have been active during the last <TT>client_limit_period</TT>
seconds are accepted. Requests from other clients from the same net are
rejected. Only time request packets are taken into account. Query packets
sent by the <TT>ntpq</TT> and <TT>ntpdc</TT> programs are not subject to
these limits. A history of clients is kept using the monitoring capability
of <TT>ntpd</TT>. Thus, monitoring is always active as long as there is
a restriction entry with the <TT>limited</TT> flag.</DD>

<DD>
&nbsp;</DD>

<DT>
<TT>ntpport</TT></DT>

<DD>
This is actually a match algorithm modifier, rather than a restriction
flag. Its presence causes the restriction entry to be matched only if the
source port in the packet is the standard NTP UDP port (123). Both <TT>ntpport</TT>
and <TT>non-ntpport</TT> may be specified. The <TT>ntpport</TT> is considered
more specific and is sorted later in the list.</DD>

<DD>
&nbsp;</DD>
</DL>

<DD>
Default restriction list entries, with the flags <TT>ignore, ntpport</TT>,
for each of the local host's interface addresses are inserted into the
table at startup to prevent the server from attempting to synchronize to
its own time. A default entry is also always present, though if it is otherwise
unconfigured; no flags are associated with the default entry (i.e., everything
besides your own NTP server is unrestricted).</DD>

<DD>
&nbsp;</DD>

<DT>
<TT>clientlimit <I>limit</I></TT></DT>

<DD>
Set the <TT>client_limit</TT> variable, which limits the number of simultaneous
access-controlled clients. The default value for this variable is 3.</DD>

<DD>
&nbsp;</DD>

<DT>
<TT>clientperiod <I>period</I></TT></DT>

<DD>
Set the <TT>client_limit_period</TT> variable, which specifies the number
of seconds after which a client is considered inactive and thus no longer
is counted for client limit restriction. The default value for this variable
is 3600 seconds.</DD>
</DL>

<HR>
<ADDRESS>
David L. Mills (mills@udel.edu)</ADDRESS>

</BODY>
</HTML>
Virgin import of ntpd 4.0.98f 1999-12-09 13:01:21 +00:00			`<HTML>`
			`<HEAD>`
			`<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">`
			`<META NAME="GENERATOR" CONTENT="Mozilla/4.01 [en] (Win95; I) [Netscape]">`
			`<TITLE>Access Control Options`
			`</TITLE>`
			`</HEAD>`
			`<BODY>`

			`<H3>`
			`Access Control Options</H3>`

			`<HR>`
			`<H4>`
			`Access Control Support</H4>`
			`<TT>ntpd</TT> implements a general purpose address-and-mask based restriction`
			`list. The list is sorted by address and by mask, and the list is searched`
			`in this order for matches, with the last match found defining the restriction`
			`flags associated with the incoming packets. The source address of incoming`
			`packets is used for the match, with the 32-bit address being and'ed with`
			`the mask associated with the restriction entry and then compared with the`
			`entry's address (which has also been and'ed with the mask) to look for`
			`a match. Additional information and examples can be found in the <A HREF="notes.htm">Notes`
			`on Configuring NTP and Setting up a NTP Subnet </A>page.`

			`<P>The restriction facility was implemented in conformance with the access`
			`policies for the original NSFnet backbone time servers. While this facility`
			`may be otherwise useful for keeping unwanted or broken remote time servers`
			`from affecting your own, it should not be considered an alternative to`
			`the standard NTP authentication facility. Source address based restrictions`
			`are easily circumvented by a determined cracker.`
			`<H4>`
			`Access Control Commands</H4>`

			`<DL>`
			`<DT>`
			`<TT>restrict <I>numeric_address</I> [mask <I>numeric_mask</I>] [<I>flag</I>]`
			`[...]</TT></DT>`

			`<DD>`
			`The <I><TT>numeric_address</TT></I> argument, expressed in dotted-quad`
			`form, is the address of an host or network. The <I><TT>mask</TT></I> argument,`
			`also expressed in dotted-quad form, defaults to <TT>255.255.255.255</TT>,`
			`meaning that the <I><TT>numeric_address</TT></I> is treated as the address`
			`of an individual host. A default entry (address <TT>0.0.0.0</TT>, mask`
			`<TT>0.0.0.0</TT>) is always included and, given the sort algorithm, is`
			`always the first entry in the list. Note that, while <I><TT>numeric_address</TT></I>`
			`is normally given in dotted-quad format, the text string <TT>default</TT>,`
			`with no mask option, may be used to indicate the default entry.</DD>`

			`<DD>`
			`In the current implementation, <I><TT>flag</TT></I> always restricts access,`
			`i.e., an entry with no flags indicates that free access to the server is`
			`to be given. The flags are not orthogonal, in that more restrictive flags`
			`will often make less restrictive ones redundant. The flags can generally`
			`be classed into two catagories, those which restrict time service and those`
			`which restrict informational queries and attempts to do run-time reconfiguration`
			`of the server. One or more of the following flags may be specified:</DD>`

			`<DD>`
			` </DD>`

			`<DL>`
			`<DT>`
			`<TT>ignore</TT></DT>`

			`<DD>`
			`Ignore all packets from hosts which match this entry. If this flag is specified`
			`neither queries nor time server polls will be responded to.</DD>`

			`<DD>`
			` </DD>`

			`<DT>`
			`<TT>noquery</TT></DT>`

			`<DD>`
			`Ignore all NTP mode 6 and 7 packets (i.e. information queries and configuration`
			`requests) from the source. Time service is not affected.</DD>`

			`<DD>`
			` </DD>`

			`<DT>`
			`<TT>nomodify</TT></DT>`

			`<DD>`
			`Ignore all NTP mode 6 and 7 packets which attempt to modify the state of`
			`the server (i.e. run time reconfiguration). Queries which return information`
			`are permitted.</DD>`

			`<DD>`
			` </DD>`

			`<DT>`
			`<TT>notrap</TT></DT>`

			`<DD>`
			`Decline to provide mode 6 control message trap service to matching hosts.`
			`The trap service is a subsystem of the mode 6 control message protocol`
			`which is intended for use by remote event logging programs.</DD>`

			`<DD>`
			` </DD>`

			`<DT>`
			`<TT>lowpriotrap</TT></DT>`

			`<DD>`
			`Declare traps set by matching hosts to be low priority. The number of traps`
			`a server can maintain is limited (the current limit is 3). Traps are usually`
			`assigned on a first come, first served basis, with later trap requestors`
			`being denied service. This flag modifies the assignment algorithm by allowing`
			`low priority traps to be overridden by later requests for normal priority`
			`traps.</DD>`

			`<DD>`
			` </DD>`

			`<DT>`
			`<TT>noserve</TT></DT>`

			`<DD>`
			`Ignore NTP packets whose mode is other than 6 or 7. In effect, time service`
			`is denied, though queries may still be permitted.</DD>`

			`<DD>`
			` </DD>`

			`<DT>`
			`<TT>nopeer</TT></DT>`

			`<DD>`
			`Provide stateless time service to polling hosts, but do not allocate peer`
			`memory resources to these hosts even if they otherwise might be considered`
			`useful as future synchronization partners.</DD>`

			`<DD>`
			` </DD>`

			`<DT>`
			`<TT>notrust</TT></DT>`

			`<DD>`
			`Treat these hosts normally in other respects, but never use them as synchronization`
			`sources.</DD>`

			`<DD>`
			` </DD>`

			`<DT>`
			`<TT>limited</TT></DT>`

			`<DD>`
			`These hosts are subject to limitation of number of clients from the same`
			`net. Net in this context refers to the IP notion of net (class A, class`
			`B, class C, etc.). Only the first <TT>client_limit</TT> hosts that have`
			`shown up at the server and that have been active during the last <TT>client_limit_period</TT>`
			`seconds are accepted. Requests from other clients from the same net are`
			`rejected. Only time request packets are taken into account. Query packets`
			`sent by the <TT>ntpq</TT> and <TT>ntpdc</TT> programs are not subject to`
			`these limits. A history of clients is kept using the monitoring capability`
			`of <TT>ntpd</TT>. Thus, monitoring is always active as long as there is`
			`a restriction entry with the <TT>limited</TT> flag.</DD>`

			`<DD>`
			` </DD>`

			`<DT>`
			`<TT>ntpport</TT></DT>`

			`<DD>`
			`This is actually a match algorithm modifier, rather than a restriction`
			`flag. Its presence causes the restriction entry to be matched only if the`
			`source port in the packet is the standard NTP UDP port (123). Both <TT>ntpport</TT>`
			`and <TT>non-ntpport</TT> may be specified. The <TT>ntpport</TT> is considered`
			`more specific and is sorted later in the list.</DD>`

			`<DD>`
			` </DD>`
			`</DL>`

			`<DD>`
			`Default restriction list entries, with the flags <TT>ignore, ntpport</TT>,`
			`for each of the local host's interface addresses are inserted into the`
			`table at startup to prevent the server from attempting to synchronize to`
			`its own time. A default entry is also always present, though if it is otherwise`
			`unconfigured; no flags are associated with the default entry (i.e., everything`
			`besides your own NTP server is unrestricted).</DD>`

			`<DD>`
			` </DD>`

			`<DT>`
			`<TT>clientlimit <I>limit</I></TT></DT>`

			`<DD>`
			`Set the <TT>client_limit</TT> variable, which limits the number of simultaneous`
			`access-controlled clients. The default value for this variable is 3.</DD>`

			`<DD>`
			` </DD>`

			`<DT>`
			`<TT>clientperiod <I>period</I></TT></DT>`

			`<DD>`
			`Set the <TT>client_limit_period</TT> variable, which specifies the number`
			`of seconds after which a client is considered inactive and thus no longer`
			`is counted for client limit restriction. The default value for this variable`
			`is 3600 seconds.</DD>`
			`</DL>`

			`<HR>`
			`<ADDRESS>`
			`David L. Mills (mills@udel.edu)</ADDRESS>`

			`</BODY>`
			`</HTML>`