142 lines
6.5 KiB
HTML
142 lines
6.5 KiB
HTML
|
<!-- $NetBSD: accopt.html,v 1.1 1998/12/30 20:20:33 mcr Exp $ -->
|
||
|
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML Strict//EN">
|
||
|
<html><head><title>
|
||
|
Access Control Options
|
||
|
</title></head><body><h3>
|
||
|
Access Control Options
|
||
|
</h3><hr>
|
||
|
|
||
|
<p><h4>Access Control Support</h4>
|
||
|
|
||
|
<p><code>xntpd</code> implements a general purpose address-and-mask
|
||
|
based restriction list. The list is sorted by address and by mask, and
|
||
|
the list is searched in this order for matches, with the last match
|
||
|
found defining the restriction flags associated with the incoming
|
||
|
packets. The source address of incoming packets is used for the match,
|
||
|
with the 32-bit address being and'ed with the mask associated with the
|
||
|
restriction entry and then compared with the entry's address (which has
|
||
|
also been and'ed with the mask) to look for a match. Additional
|
||
|
information and examples can be found in the <a href = "notes.html">
|
||
|
Notes on Configuring NTP and Setting up a NTP Subnet </a> page.
|
||
|
|
||
|
<p>The restriction facility was implemented in conformance with the
|
||
|
access policies for the original NSFnet backbone time servers. While
|
||
|
this facility may be otherwise useful for keeping unwanted or broken
|
||
|
remote time servers from affecting your own, it should not be considered
|
||
|
an alternative to the standard NTP authentication facility. Source
|
||
|
address based restrictions are easily circumvented by a determined
|
||
|
cracker.
|
||
|
|
||
|
<p><h4>Access Control Commands</h4>
|
||
|
|
||
|
<dl>
|
||
|
|
||
|
<dt><code>restrict <i>numeric_address</i> [ mask <i>numeric_mask</i>
|
||
|
] [ <i>flag</i> ] [ ... ]</code>
|
||
|
<dd>The <code><i>numeric_address</i></code> argument, expressed in
|
||
|
dotted-quad form, is the address of an host or network. The
|
||
|
<code><i>mask</i></code> argument, also expressed in dotted-quad form,
|
||
|
defaults to <code>255.255.255.255</code>, meaning that the
|
||
|
<code><i>numeric_address</i></code> is treated as the address of an
|
||
|
individual host. A default entry (address <code>0.0.0.0</code>, mask
|
||
|
<code>0.0.0.0</code>) is always included and, given the sort algorithm,
|
||
|
is always the first entry in the list. Note that, while
|
||
|
<code><i>numeric_address</i></code> is normally given in dotted-quad
|
||
|
format, the text string <code>default</code>, with no mask option, may
|
||
|
be used to indicate the default entry.
|
||
|
|
||
|
<p><dd>In the current implementation, <code><i>flag</i></code> always
|
||
|
restricts access, i.e., an entry with no flags indicates that free
|
||
|
access to the server is to be given. The flags are not orthogonal, in
|
||
|
that more restrictive flags will often make less restrictive ones
|
||
|
redundant. The flags can generally be classed into two catagories, those
|
||
|
which restrict time service and those which restrict informational
|
||
|
queries and attempts to do run-time reconfiguration of the server. One
|
||
|
or more of the following flags may be specified:
|
||
|
|
||
|
<dl>
|
||
|
|
||
|
<dt><code>ignore</code>
|
||
|
<dd>Ignore all packets from hosts which match this entry. If this flag
|
||
|
is specified neither queries nor time server polls will be responded to.
|
||
|
|
||
|
<p><dt><code>noquery</code>
|
||
|
<dd>Ignore all NTP mode 6 and 7 packets (i.e. information queries and
|
||
|
configuration requests) from the source. Time service is not affected.
|
||
|
|
||
|
<p><dt><code>nomodify</code>
|
||
|
<dd>Ignore all NTP mode 6 and 7 packets which attempt to modify the
|
||
|
state of the server (i.e. run time reconfiguration). Queries which
|
||
|
return information are permitted.
|
||
|
|
||
|
<p><dt><code>notrap</code>
|
||
|
<dd>Decline to provide mode 6 control message trap service to matching
|
||
|
hosts. The trap service is a subsystem of the mode 6 control message
|
||
|
protocol which is intended for use by remote event logging programs.
|
||
|
|
||
|
<p><dt><code>lowpriotrap</code>
|
||
|
<dd>Declare traps set by matching hosts to be low priority. The number
|
||
|
of traps a server can maintain is limited (the current limit is 3).
|
||
|
Traps are usually assigned on a first come, first served basis, with
|
||
|
later trap requestors being denied service. This flag modifies the
|
||
|
assignment algorithm by allowing low priority traps to be overridden by
|
||
|
later requests for normal priority traps.
|
||
|
|
||
|
<p><dt><code>noserve</code>
|
||
|
<dd>Ignore NTP packets whose mode is other than 6 or 7. In effect, time
|
||
|
service is denied, though queries may still be permitted.
|
||
|
|
||
|
<p><dt><code>nopeer</code>
|
||
|
<dd>Provide stateless time service to polling hosts, but do not allocate
|
||
|
peer memory resources to these hosts even if they otherwise might be
|
||
|
considered useful as future synchronization partners.
|
||
|
|
||
|
<p><dt><code>notrust</code>
|
||
|
<dd>Treat these hosts normally in other respects, but never use them as
|
||
|
synchronization sources.
|
||
|
|
||
|
<p><dt><code>limited</code>
|
||
|
<dd>These hosts are subject to limitation of number of clients from the
|
||
|
same net. Net in this context refers to the IP notion of net (class A,
|
||
|
class B, class C, etc.). Only the first <code>client_limit</code> hosts
|
||
|
that have shown up at the server and that have been active during the
|
||
|
last <code>client_limit_period</code> seconds are accepted. Requests
|
||
|
from other clients from the same net are rejected. Only time request
|
||
|
packets are taken into account. Query packets sent by the
|
||
|
<code>ntpq</code> and <code>xntpdc</code> programs are not subject to
|
||
|
these limits. A history of clients is kept using the monitoring
|
||
|
capability of <code>xntpd</code>. Thus, monitoring is always active as
|
||
|
long as there is a restriction entry with the <code>limited</code> flag.
|
||
|
|
||
|
<p><dt><code>ntpport</code>
|
||
|
<dd>This is actually a match algorithm modifier, rather than a
|
||
|
restriction flag. Its presence causes the restriction entry to be
|
||
|
matched only if the source port in the packet is the standard NTP UDP
|
||
|
port (123). Both <code>ntpport</code> and <code>non-ntpport</code> may
|
||
|
be specified. The <code>ntpport</code> is considered more specific and
|
||
|
is sorted later in the list.
|
||
|
|
||
|
</dl>
|
||
|
|
||
|
<p><dd>Default restriction list entries, with the flags <code>ignore,
|
||
|
ntpport</code>, for each of the local host's interface addresses are
|
||
|
inserted into the table at startup to prevent the server from attempting
|
||
|
to synchronize to its own time. A default entry is also always present,
|
||
|
though if it is otherwise unconfigured; no flags are associated with the
|
||
|
default entry (i.e., everything besides your own NTP server is
|
||
|
unrestricted).
|
||
|
|
||
|
<p><dt><code>clientlimit <i>limit</i></code>
|
||
|
<dd>Set the <code>client_limit</code> variable, which limits the number
|
||
|
of simultaneous access-controlled clients. The default value for this
|
||
|
variable is 3.
|
||
|
<p><dt><code>clientperiod <i>period</i></code>
|
||
|
<dd>Set the <code>client_limit_period</code> variable, which specifies
|
||
|
the number of seconds after which a client is considered inactive and
|
||
|
thus no longer is counted for client limit restriction. The default
|
||
|
value for this variable is 3600 seconds.
|
||
|
|
||
|
</dl>
|
||
|
|
||
|
<hr><address>David L. Mills (mills@udel.edu)</address></body></html>
|