From owner-svn-src-all@FreeBSD.ORG Sat Dec 28 01:57:47 2013 Return-Path: Delivered-To: svn-src-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ECCD46A4; Sat, 28 Dec 2013 01:57:47 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C786B1323; Sat, 28 Dec 2013 01:57:47 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [69.198.165.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 6DB55263C1; Fri, 27 Dec 2013 17:57:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1388195867; bh=Egb/vHnm8n3ewli6OVt/xFGzO2teusNgbmhXgZxptjo=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=aX1KJ6XJzS+MBR5CFsGR4L+KzjBd75DYJBXS2iw3Ga4x3l8OYFPTfMMd9Ue7Up5WN 3stqKanCLRI08zuy6qoG0rlyHsvXqwnEFx6FC3rmSAirSvDuGVE5IAe+nwPZ2qdamE gv+mjOHOWo5plM6Go7rTHok4lHe0WLBidDefF+W4= Message-ID: <52BE301B.3030202@delphij.net> Date: Fri, 27 Dec 2013 17:57:47 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Ian Lepore , d@delphij.net Subject: Re: svn commit: r259973 - head/etc References: <201312272306.rBRN6GON067322@svn.freebsd.org> <1388186184.1158.156.camel@revolution.hippie.lan> <52BE28ED.8080401@delphij.net> <1388195722.1158.173.camel@revolution.hippie.lan> In-Reply-To: <1388195722.1158.173.camel@revolution.hippie.lan> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org, Xin LI X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Dec 2013 01:57:48 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 12/27/13 17:55, Ian Lepore wrote: > On Fri, 2013-12-27 at 17:27 -0800, Xin Li wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >> >> On 12/27/13 15:16, Ian Lepore wrote: >>> On Fri, 2013-12-27 at 23:06 +0000, Xin LI wrote: >>>> Author: delphij Date: Fri Dec 27 23:06:15 2013 New Revision: >>>> 259973 URL: http://svnweb.freebsd.org/changeset/base/259973 >>>> >>>> Log: Tighten default restrictions for ntpd(8) server and >>>> provide a link to NTP access restriction documentation. >>>> >>>> The new default restrictions would allow only time queries >>>> from a remote system and will KoD all other requests, but >>>> still allow localhost to do make all requests. >>>> >>>> These restrictions are also recommended for all >>>> Internet-facing public NTP servers. >>>> >>>> This changeset is intended for an instant MFC to stable/10 >>>> and releng/10.0. >>>> >>>> Modified: head/etc/ntp.conf >>>> >>>> Modified: head/etc/ntp.conf >>>> ============================================================================== >>>> >>>> >> >>>> - - --- head/etc/ntp.conf Fri Dec 27 23:00:56 2013 (r259972) >>>> +++ head/etc/ntp.conf Fri Dec 27 23:06:15 2013 (r259973) @@ >>>> -17,7 +17,7 @@ # users with a static IP and good upstream NTP >>>> servers to add a server # to the pool. See >>>> http://www.pool.ntp.org/join.html if you are interested. # -# >>>> The option `iburst' is used for faster initial >>>> synchronisation. +# The option `iburst' is used for faster >>>> initial synchronization. # server 0.freebsd.pool.ntp.org >>>> iburst server 1.freebsd.pool.ntp.org iburst @@ -35,21 +35,37 >>>> @@ server 2.freebsd.pool.ntp.org iburst # server >>>> 2.CC.pool.ntp.org iburst >>>> >>>> # -# Security: Only accept NTP traffic from the following >>>> hosts. -# The following configuration example only accepts >>>> traffic from the -# above defined servers. +# Security: +# +# >>>> By default, only allow time queries and block all other >>>> requests +# from unauthenticated clients. +# +# See >>>> http://support.ntp.org/bin/view/Support/AccessRestrictions +# >>>> for more information. +# +restrict default kod nomodify >>>> notrap nopeer noquery +restrict -6 default kod nomodify >>>> notrap nopeer noquery +# +# Alternatively, the following >>>> rules would block all unauthorized access. +# +#restrict >>>> default ignore +#restrict -6 default ignore +# +# In this >>>> case, all remote NTP time servers also need to be explicitly >>>> +# allowed or they would not be able to exchange time >>>> information with +# this server. # >>> >>> This comment is incorrect. To quote the ntpd docs for nopeer: >>> >>> Deny packets that might mobilize an association unless >>> authenticated. This includes broadcast, symmetric-active and >>> manycast server packets when a configured association does not >>> exist. >>> >>> In other words, peer relationships which are explicitly >>> configured in the ntp.conf file(s) are not affected, the nopeer >>> option only prevents *packets* that would create a new peer >>> association. >>> >>>> # Please note that this example doesn't work for the servers >>>> in # the pool.ntp.org domain since they return multiple A >>>> records. -# (This is the reason that by default they are >>>> commented out) # -#restrict default ignore #restrict >>>> 0.pool.ntp.org nomodify nopeer noquery notrap #restrict >>>> 1.pool.ntp.org nomodify nopeer noquery notrap #restrict >>>> 2.pool.ntp.org nomodify nopeer noquery notrap >>> >>> The foregoing implies that these lines aren't needed. >> >> I'm not sure if I get what you said. Did you mean these >> restrict lines are not needed when "restrict default ignore" is >> present? (My test suggests they are needed, this is also what >> the NTP documentation said: a 'server' line needs a 'restrict' >> line when the default is set to 'ignore'). Could you please use >> a patch to demonstrate how we can improve the comment? > > Ooops, my bad, I misread the diff. I just saw the -default ignore > line, not that it had moved up a few lines. My remark was in the > context of not needing to "undo" the effect of the nopeer option. > I see, that's okay. Is there any other problem in the comment, etc.? Another pair of eye would always be helpful to catch errors :) Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSvjAbAAoJEJW2GBstM+nsm94QAJ3Q5LUzrAl84bBHIEUyDXRv Udk5w/ZS4hmzfsDHtDV3NCtDzSXuDXivAwmDfwguHjBALjuC3J/JkxU5SW6eFo0T DZpoyCd2bMYfc2juzmA+Uvn3oY5Pz6WsBTUuJlBDLSfLPpUOjoR/tCTfSlhKlkmG 4FdFVgJAE9ZGJWRH7BMZ71ZGklqbMCDAUv0UAC5iEcXMkO9djcgMH8eRCt7QVnuj j0tcqSLtrO07Nb5NoSBM8JI5A0quvjJTlv1EgmsrUG9rM5kzlw6Qf6tcZ/2l0ioF Fqwd8cEES8S3dAjrb0AW2CS3T4Dr4ku1lp2VjXTmKysiZPpu7jS1KbYYp8IAlOa/ Wj2WK7ajdupGiBwa1H7vP4cm5L3qnNDz7ydeNgjEgfGJtBcNBCphL8D50/9S8Wir iYC3G1zoUuVmIGsc7SxRZH86C80QDQe+9jqnasw43tc8HOcj4UKnkgkcuAoUNdQ5 o084D6uDJEG2gdh5Vlc4VApw1oBFzJT31nb5mUxsdws+8jmhGHlX72O/YCNYkM91 S0Z53syCjJC5L0UtWJT6AVWONpfM5zwBRGW8deU0UN1jwa3ZFH/QPIgR+rOAU3Cm mRaIDzYyje/Dqs9PVsdShEPzsXkDzymUYFvXH+xqXu/o8Eizl7Rxvu0chfMwU2NJ XMumWVC44tLEhOvC00wM =2vkt -----END PGP SIGNATURE-----