dc8c5823d3
to NTP access restriction documentation. The new default restrictions would allow only time queries from a remote system and will KoD all other requests, but still allow localhost to do make all requests. These restrictions are also recommended for all Internet-facing public NTP servers. This changeset is intended for an instant MFC to stable/10 and releng/10.0.
80 lines
2.6 KiB
Plaintext
80 lines
2.6 KiB
Plaintext
#
|
|
# $FreeBSD$
|
|
#
|
|
# Default NTP servers for the FreeBSD operating system.
|
|
#
|
|
# Don't forget to enable ntpd in /etc/rc.conf with:
|
|
# ntpd_enable="YES"
|
|
#
|
|
# The driftfile is by default /var/db/ntpd.drift, check
|
|
# /etc/defaults/rc.conf on how to change the location.
|
|
#
|
|
|
|
#
|
|
# The following three servers will give you a random set of three
|
|
# NTP servers geographically close to you.
|
|
# See http://www.pool.ntp.org/ for details. Note, the pool encourages
|
|
# users with a static IP and good upstream NTP servers to add a server
|
|
# to the pool. See http://www.pool.ntp.org/join.html if you are interested.
|
|
#
|
|
# The option `iburst' is used for faster initial synchronization.
|
|
#
|
|
server 0.freebsd.pool.ntp.org iburst
|
|
server 1.freebsd.pool.ntp.org iburst
|
|
server 2.freebsd.pool.ntp.org iburst
|
|
#server 3.freebsd.pool.ntp.org iburst
|
|
|
|
#
|
|
# If you want to pick yourself which country's public NTP server
|
|
# you want sync against, comment out the above servers, uncomment
|
|
# the next ones and replace CC with the country's abbreviation.
|
|
# Make sure that the hostnames resolve to a proper IP address!
|
|
#
|
|
# server 0.CC.pool.ntp.org iburst
|
|
# server 1.CC.pool.ntp.org iburst
|
|
# server 2.CC.pool.ntp.org iburst
|
|
|
|
#
|
|
# Security:
|
|
#
|
|
# By default, only allow time queries and block all other requests
|
|
# from unauthenticated clients.
|
|
#
|
|
# See http://support.ntp.org/bin/view/Support/AccessRestrictions
|
|
# for more information.
|
|
#
|
|
restrict default kod nomodify notrap nopeer noquery
|
|
restrict -6 default kod nomodify notrap nopeer noquery
|
|
#
|
|
# Alternatively, the following rules would block all unauthorized access.
|
|
#
|
|
#restrict default ignore
|
|
#restrict -6 default ignore
|
|
#
|
|
# In this case, all remote NTP time servers also need to be explicitly
|
|
# allowed or they would not be able to exchange time information with
|
|
# this server.
|
|
#
|
|
# Please note that this example doesn't work for the servers in
|
|
# the pool.ntp.org domain since they return multiple A records.
|
|
#
|
|
#restrict 0.pool.ntp.org nomodify nopeer noquery notrap
|
|
#restrict 1.pool.ntp.org nomodify nopeer noquery notrap
|
|
#restrict 2.pool.ntp.org nomodify nopeer noquery notrap
|
|
#
|
|
# The following settings allow unrestricted access from the localhost
|
|
restrict 127.0.0.1
|
|
restrict -6 ::1
|
|
restrict 127.127.1.0
|
|
|
|
#
|
|
# If a server loses sync with all upstream servers, NTP clients
|
|
# no longer follow that server. The local clock can be configured
|
|
# to provide a time source when this happens, but it should usually
|
|
# be configured on just one server on a network. For more details see
|
|
# http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
|
|
# The use of Orphan Mode may be preferable.
|
|
#
|
|
#server 127.127.1.0
|
|
#fudge 127.127.1.0 stratum 10
|