Tighten default restrictions for ntpd(8) server and provide a link

to NTP access restriction documentation.

The new default restrictions would allow only time queries from a
remote system and will KoD all other requests, but still allow
localhost to do make all requests.

These restrictions are also recommended for all Internet-facing
public NTP servers.

This changeset is intended for an instant MFC to stable/10 and
releng/10.0.
This commit is contained in:
Xin LI 2013-12-27 23:06:15 +00:00
parent fafe884473
commit b2c730e011

View File

@ -17,7 +17,7 @@
# users with a static IP and good upstream NTP servers to add a server
# to the pool. See http://www.pool.ntp.org/join.html if you are interested.
#
# The option `iburst' is used for faster initial synchronisation.
# The option `iburst' is used for faster initial synchronization.
#
server 0.freebsd.pool.ntp.org iburst
server 1.freebsd.pool.ntp.org iburst
@ -35,21 +35,37 @@ server 2.freebsd.pool.ntp.org iburst
# server 2.CC.pool.ntp.org iburst
#
# Security: Only accept NTP traffic from the following hosts.
# The following configuration example only accepts traffic from the
# above defined servers.
# Security:
#
# By default, only allow time queries and block all other requests
# from unauthenticated clients.
#
# See http://support.ntp.org/bin/view/Support/AccessRestrictions
# for more information.
#
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
#
# Alternatively, the following rules would block all unauthorized access.
#
#restrict default ignore
#restrict -6 default ignore
#
# In this case, all remote NTP time servers also need to be explicitly
# allowed or they would not be able to exchange time information with
# this server.
#
# Please note that this example doesn't work for the servers in
# the pool.ntp.org domain since they return multiple A records.
# (This is the reason that by default they are commented out)
#
#restrict default ignore
#restrict 0.pool.ntp.org nomodify nopeer noquery notrap
#restrict 1.pool.ntp.org nomodify nopeer noquery notrap
#restrict 2.pool.ntp.org nomodify nopeer noquery notrap
#restrict 127.0.0.1
#restrict -6 ::1
#restrict 127.127.1.0
#
# The following settings allow unrestricted access from the localhost
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0
#
# If a server loses sync with all upstream servers, NTP clients