From owner-svn-src-all@FreeBSD.ORG Sat Dec 28 01:27:10 2013 Return-Path: Delivered-To: svn-src-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B4603E6; Sat, 28 Dec 2013 01:27:10 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4CE9C116E; Sat, 28 Dec 2013 01:27:09 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [69.198.165.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id BF21F2615B; Fri, 27 Dec 2013 17:27:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1388194029; bh=lzTyQZrZMhf8K/mBFearVAUH4Grrr/0GjIpjk4aBW6Q=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=OEhtFu1Bo4YgPd6lWSskproSEBU1RY8X0DahFKAmMvAoO3Rf0P8GU/bzbiWrzBFbi /EgWNLzancQLMGHOQGvQ/u+3K6BPyLsF/R6eiPiIsTIPATPYRHcgC3RFnc/xFOqUXx gaKhkgtA663MNacJpMukLajGfgV6uZagHvzzNoU0= Message-ID: <52BE28ED.8080401@delphij.net> Date: Fri, 27 Dec 2013 17:27:09 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Ian Lepore , Xin LI Subject: Re: svn commit: r259973 - head/etc References: <201312272306.rBRN6GON067322@svn.freebsd.org> <1388186184.1158.156.camel@revolution.hippie.lan> In-Reply-To: <1388186184.1158.156.camel@revolution.hippie.lan> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Dec 2013 01:27:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/27/13 15:16, Ian Lepore wrote: > On Fri, 2013-12-27 at 23:06 +0000, Xin LI wrote: >> Author: delphij Date: Fri Dec 27 23:06:15 2013 New Revision: >> 259973 URL: http://svnweb.freebsd.org/changeset/base/259973 >> >> Log: Tighten default restrictions for ntpd(8) server and provide >> a link to NTP access restriction documentation. >> >> The new default restrictions would allow only time queries from >> a remote system and will KoD all other requests, but still allow >> localhost to do make all requests. >> >> These restrictions are also recommended for all Internet-facing >> public NTP servers. >> >> This changeset is intended for an instant MFC to stable/10 and >> releng/10.0. >> >> Modified: head/etc/ntp.conf >> >> Modified: head/etc/ntp.conf >> ============================================================================== >> >> - --- head/etc/ntp.conf Fri Dec 27 23:00:56 2013 (r259972) >> +++ head/etc/ntp.conf Fri Dec 27 23:06:15 2013 (r259973) @@ -17,7 >> +17,7 @@ # users with a static IP and good upstream NTP servers >> to add a server # to the pool. See >> http://www.pool.ntp.org/join.html if you are interested. # -# The >> option `iburst' is used for faster initial synchronisation. +# >> The option `iburst' is used for faster initial synchronization. >> # server 0.freebsd.pool.ntp.org iburst server >> 1.freebsd.pool.ntp.org iburst @@ -35,21 +35,37 @@ server >> 2.freebsd.pool.ntp.org iburst # server 2.CC.pool.ntp.org iburst >> >> # -# Security: Only accept NTP traffic from the following hosts. >> -# The following configuration example only accepts traffic from >> the -# above defined servers. +# Security: +# +# By default, only >> allow time queries and block all other requests +# from >> unauthenticated clients. +# +# See >> http://support.ntp.org/bin/view/Support/AccessRestrictions +# for >> more information. +# +restrict default kod nomodify notrap nopeer >> noquery +restrict -6 default kod nomodify notrap nopeer noquery >> +# +# Alternatively, the following rules would block all >> unauthorized access. +# +#restrict default ignore +#restrict -6 >> default ignore +# +# In this case, all remote NTP time servers >> also need to be explicitly +# allowed or they would not be able >> to exchange time information with +# this server. # > > This comment is incorrect. To quote the ntpd docs for nopeer: > > Deny packets that might mobilize an association unless > authenticated. This includes broadcast, symmetric-active and > manycast server packets when a configured association does not > exist. > > In other words, peer relationships which are explicitly configured > in the ntp.conf file(s) are not affected, the nopeer option only > prevents *packets* that would create a new peer association. > >> # Please note that this example doesn't work for the servers in # >> the pool.ntp.org domain since they return multiple A records. -# >> (This is the reason that by default they are commented out) # >> -#restrict default ignore #restrict 0.pool.ntp.org nomodify >> nopeer noquery notrap #restrict 1.pool.ntp.org nomodify nopeer >> noquery notrap #restrict 2.pool.ntp.org nomodify nopeer noquery >> notrap > > The foregoing implies that these lines aren't needed. I'm not sure if I get what you said. Did you mean these restrict lines are not needed when "restrict default ignore" is present? (My test suggests they are needed, this is also what the NTP documentation said: a 'server' line needs a 'restrict' line when the default is set to 'ignore'). Could you please use a patch to demonstrate how we can improve the comment? Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSvijtAAoJEJW2GBstM+nsC/0QAJaylRKXg1qT/3hROFf6SDcV ENMV7Pl7UJMTP75K3zc+o4awoW7+NdXj8CYOSD0FczRdWahVxcw8p2d6gKAjX/R8 py2eqlRThfgrWViTEyTQk7Xv53OuY+7YKQI1qJb6T7U4VXAoGx1Jyp+02x5UDP4J UGWO20tRYuqsfZcUSfjRJZNRGn6OoxoHw+w+mLxlE7OA35XRNq/MwZnj7PEcuN3Q Gel56zzpsQ8aLuWCAbQxfBuhGaIng8RsYzo6jY+bVwsTqNNHAkv1v1de4PeeUkTh Gd+7Gsdq85EquaOyWfQg5HlQBVGDGVKop6kERrXdjzU1fk/iO+VfSyH6uX+VJFL5 Jc6ZQrVrhRDCcnsWodKqPfA0CvpxWwwkc0znBj0gGeEKv/KvzuLG8Djgyy8Do/s5 bUqC6JmWjiedXdtYR/q25pCQkbPQBWVjRpxlyOxAHaAfhYE2MysQh1aS3IN3keff AnWjvKKDmHw1DByEc7HoWdmT30xdURzHW6LqFiaGbNF+nukTYft+k+ttZIrcAcs1 Th5eZ5qrJOXgwHOV55ZDAGmmT6szwTecKy7Tmu/lK+4W/Nsah2YPdQhtm9VQAMqK Au/OiS1mHBhdioFVLPhAaVdG2MgqECmZs1mFk1rgf+pw1CCd2SIbEvV2KU+Wo5zZ lMkNRhirF24XYcPLJdS6 =FfpA -----END PGP SIGNATURE-----