From owner-svn-src-stable-8@FreeBSD.ORG Fri Dec 27 23:09:41 2013 Return-Path: Delivered-To: svn-src-stable-8@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 163291DA; Fri, 27 Dec 2013 23:09:41 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DB8C4188F; Fri, 27 Dec 2013 23:09:40 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rBRN9eYh067965; Fri, 27 Dec 2013 23:09:40 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id rBRN9ew3067964; Fri, 27 Dec 2013 23:09:40 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201312272309.rBRN9ew3067964@svn.freebsd.org> From: Xin LI Date: Fri, 27 Dec 2013 23:09:40 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r259974 - in stable: 10/etc 8/etc 9/etc X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-8@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for only the 8-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Dec 2013 23:09:41 -0000 Author: delphij Date: Fri Dec 27 23:09:40 2013 New Revision: 259974 URL: http://svnweb.freebsd.org/changeset/base/259974 Log: MFC r259973: Tighten default restrictions for ntpd(8) server and provide a link to NTP access restriction documentation. Modified: stable/8/etc/ntp.conf Directory Properties: stable/8/etc/ (props changed) Changes in other areas also in this revision: Modified: stable/10/etc/ntp.conf stable/9/etc/ntp.conf Directory Properties: stable/10/ (props changed) stable/9/etc/ (props changed) Modified: stable/8/etc/ntp.conf ============================================================================== --- stable/8/etc/ntp.conf Fri Dec 27 23:06:15 2013 (r259973) +++ stable/8/etc/ntp.conf Fri Dec 27 23:09:40 2013 (r259974) @@ -17,7 +17,7 @@ # users with a static IP and good upstream NTP servers to add a server # to the pool. See http://www.pool.ntp.org/join.html if you are interested. # -# The option `iburst' is used for faster initial synchronisation. +# The option `iburst' is used for faster initial synchronization. # server 0.freebsd.pool.ntp.org iburst server 1.freebsd.pool.ntp.org iburst @@ -35,21 +35,37 @@ server 2.freebsd.pool.ntp.org iburst # server 2.CC.pool.ntp.org iburst # -# Security: Only accept NTP traffic from the following hosts. -# The following configuration example only accepts traffic from the -# above defined servers. +# Security: +# +# By default, only allow time queries and block all other requests +# from unauthenticated clients. +# +# See http://support.ntp.org/bin/view/Support/AccessRestrictions +# for more information. +# +restrict default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery +# +# Alternatively, the following rules would block all unauthorized access. +# +#restrict default ignore +#restrict -6 default ignore +# +# In this case, all remote NTP time servers also need to be explicitly +# allowed or they would not be able to exchange time information with +# this server. # # Please note that this example doesn't work for the servers in # the pool.ntp.org domain since they return multiple A records. -# (This is the reason that by default they are commented out) # -#restrict default ignore #restrict 0.pool.ntp.org nomodify nopeer noquery notrap #restrict 1.pool.ntp.org nomodify nopeer noquery notrap #restrict 2.pool.ntp.org nomodify nopeer noquery notrap -#restrict 127.0.0.1 -#restrict -6 ::1 -#restrict 127.127.1.0 +# +# The following settings allow unrestricted access from the localhost +restrict 127.0.0.1 +restrict -6 ::1 +restrict 127.127.1.0 # # If a server loses sync with all upstream servers, NTP clients