1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
// Access control commands. Is included twice.
[[limit]]+limit+ [+average+ _average_] [+burst+ _burst_] [+kod+ _kod_]::
Set the parameters of the _limited_ facility which protects the server
from client abuse. Internally, each link:ntpq.html#mrulist[MRU]
slot contains a _score_ in units of packets per second.
It is updated each time a packet arrives from that IP Address.
The _score_ decays exponentially at the _burst_ rate and is bumped
by 1.0/burst when a packet arrives.
+average+ 'average';;
Specify the allowed average rate for response packets
in packets per second. The default is 1.0
+burst+ 'burst';;
Specify the allowed burst size if the bursts are far enough apart
to keep the average rate below _average_. The default is 20.0
+kod+ 'kod';;
Specify the allowed average rate for KoD packets
in packets per second. The default is 0.5
[[restrict]]+restrict+ _address_[/_cidr_] [+mask+ _mask_] [+flag+ +...+]::
The _address_ argument expressed in dotted-quad (for IPv4) or
:-delimited (for IPv6) form is the address of a
host or network. Alternatively, the _address_ argument can be a valid
host DNS name. The _mask_ argument expressed in IPv4 or IPv6 numeric
address form defaults to all mask bits on, meaning that the _address_ is
treated as the address of an individual host. Instead of an explicit
_mask_, the _address/cidr_ may be specified in CIDR notation. A
default entry (address +0.0.0.0+, mask +0.0.0.0+) is always included
and is always the first entry in the list. Note that text string
_default_, with no mask option, may be used to indicate the default
entry. In the current implementation, _flag_ always restricts access,
i.e., an entry with no flags indicates that free access to the server
is to be given. The flags are not orthogonal, in that more restrictive
flags will often make less restrictive ones redundant. The flags can
generally be classed into two categories, those which restrict time
service and those which restrict informational queries and attempts
to do a run-time reconfiguration of the server. One or more of the
following flags may be specified:
+
--
+flake+;;
Discard received NTP packets with probability 0.1; that is, on
average drop one packet in ten. This flag is for testing and amusement.
The name comes from Bob Braden's _flakeway_, which once did a
similar thing for early Internet testing.
+ignore+;;
Deny packets of all kinds, including {ntpqman} queries.
+kod+;;
If this flag is set when an access violation occurs, a kiss-o'-death
(KoD) packet is sent. KoD packets are rate limited.
+limited+;;
Deny service if the packet spacing violates the lower limits
specified in the _limit_ command. A history of clients is kept using
the monitoring capability of {ntpdman}. Thus, monitoring is
always active as long as there is a restriction entry with
the limited flag.
+mssntp+;;
Enable Microsoft Windows MS-SNTP authentication using Active
Directory services. *Note: Potential users should be aware that
these services involve a TCP connection to another process that
could potentially block, denying services to other users. Therefore,
this flag should be used only for a dedicated server with no clients
other than MS-SNTP.*
+nomodify+;;
Deny {ntpqman} queries which attempt
to modify the state of the server (i.e., run time reconfiguration).
Queries which return information are permitted.
+nomrulist+;;
Do not accept MRU-list requests. These can be expensive to
service and may generate a high volume of response traffic.
+nopeer+;;
Deny packets which would result in mobilizing a new association;
this includes symmetric active packets when a
configured association does not exist. That used to happen
when the remote client used the +peer+ command in its config file.
We don't support that mode.
It used to include _pool_ servers, but they now poke a hole in any
restrictions.
+noquery+;;
Deny {ntpqman} queries. Time service is not affected.
+noserve+;;
Deny all packets except {ntpqman} and queries.
+notrust+;;
Deny service unless the packet is cryptographically authenticated.
+ntpport+;;
This is a match algorithm modifier, rather than a
restriction flag. Its presence causes the restriction entry to be
matched if the source port in the packet is the standard NTP
UDP port (123). Both +ntpport+ and +non-ntpport+ may be specified.
The +ntpport+ is considered more specific and is sorted later in the
list.
+version+;;
Deny packets that do not match the current NTP version.
--
Note: A second restrict line with the same address/mask
does not replace the first one. The flags are merged. Thus:
restrict bob X
restrict bob Y
is the same as
restrict bob X Y
Default restriction list entries with the flags ignore, interface,
ntpport, for each of the local host's interface addresses are inserted
into the table at startup to prevent the server from attempting to
synchronize to its own time. A default entry is also always present.
It has +noquery+ to avoid packet length amplification which can
be used for DDoS with a forged return address and +limited+ to
avoid DDoS reflections.
[[unrestrict]]+unrestrict+ _address_[/_cidr_] [+mask+ _mask_] [+flag+ +...+]::
Like a +restrict+ command, but turns off the specified flags rather
than turning them on (expected to be useful mainly with ntpq
:config). An unrestrict with no flags specified removes any rule
with matching address and mask. Use only on an address/mask or
CIDR-format address mentioned in a previous +restrict+ statement.
Note: +unrestrict default+ will not do anything;
you can't remove the builtin defaults.
If you want to remove them, use +unrestrict default noquery limited+
to turn off those flags.
// end
|
