accopt.html revision 1.1.1.1
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 2 3 <html> 4 <head> 5 <meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> 6 <meta name="generator" content="HTML Tidy, see www.w3.org"> 7 <title>Access Control Options</title> 8 <link href="scripts/style.css" type="text/css" rel="stylesheet"> 9 <style type="text/css"> 10 <!-- 11 .style1 { 12 color: #FF0000; 13 font-weight: bold; 14 } 15 --> 16 </style> 17 </head> 18 19 <body> 20 21 <h3>Access Control Options</h3> 22 23 <img src="pic/pogo6.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a> 24 25 <p>The skunk watches for intruders and sprays.</p> 26 <p>Last update: 27 <!-- #BeginDate format:En2m -->30-Sep-2009 17:16<!-- #EndDate --> 28 UTC</p> 29 <br clear="left"> 30 31 <h4>Related Links</h4> 32 33 <script type="text/javascript" language="javascript" src="scripts/command.txt"></script> 34 <script type="text/javascript" language="javascript" src="scripts/accopt.txt"></script> 35 36 <h4>Table of Contents</h4> 37 38 <ul> 39 <li class="inline"><a href="#acx">Access Control Support</a></li> 40 <li class="inline"><a href="#cmd">Access Control Commands</a></li> 41 </ul> 42 43 <hr> 44 45 <h4 id="acx">Access Control Support</h4> 46 47 <p>The <tt>ntpd</tt> daemon implements a general purpose access control list 48 (ACL) containing address/match entries sorted first by increasing address 49 values and then by increasing mask values. A match occurs when the bitwise 50 AND of the mask and the packet source address is equal to the bitwise AND of 51 the mask and address in the list. The list is searched in order with the last 52 match found defining the restriction flags associated with the entry.</p> 53 54 <p>An example may clarify how it works. Our campus has two class-B networks, 55 128.4 for the ECE and CIS departments and 128.175 for the rest of campus. 56 Let's assume (not true!) that subnet 128.4.1 homes critical services like class 57 rosters and spread sheets. A suitable ACL might be</p> 58 <pre> 59 restrict default nopeer # deny new associations 60 restrict 128.175.0.0 mask 255.255.0.0 # allow campus access 61 restrict 128.4.0.0 mask 255.255.0.0 none # allow ECE and CIS access 62 restrict 128.4.1.0 mask 255.255.255.0 notrust # require authentication on subnet 1 63 restrict time.nist.gov # allow access 64 </pre> 65 66 <p>While this facility may be useful for keeping unwanted, broken or malicious clients from congesting innocent servers, it should not be considered an alternative to the NTP authentication facilities. Source address based restrictions are easily circumvented by a determined cracker.</p> 67 68 <h4 id="cmd">Access Control Commands</h4> 69 70 <dl> 71 72 <dt id="discard"><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ] [ monitor <i>prob</i> ]</tt></dt> 73 <dd>Set the parameters of the rate control facility which protects the server 74 from client abuse. If the <tt>limited</tt> flag is present in the ACL, packets 75 that violate these limits are discarded. If in addition the <tt>kod</tt> restriction 76 is present, a kiss-o'-death packet is returned.</dd> 77 78 <dd><dl> 79 80 <dt><tt>average <i>avg</i></tt></dt> 81 <dd>Specify the minimum average interpacket spacing (minimum average headway 82 time) in log<sub>2</sub> s with default 3.</dd> 83 84 <dt><tt>minimum <i>min</i></tt></dt> 85 <dd>Specify the minimum interpacket spacing (guard time) in log<sub>2</sub> s 86 with default 1.</dd> 87 88 <dt><tt>monitor</tt></dt> 89 <dd>Specify the probability of discard for packets that overflow the rate-control 90 window. This is a performance optimization for servers with aggregate arrivals 91 of 1000 packets per second or more.</dd> 92 93 </dl></dd> 94 95 <dt id="restrict"><tt>restrict <i>address</i> [mask <i>mask</i>] [<i>flag</i>][...]</tt></dt> 96 <dd>The <tt><i>address</i></tt> argument expressed in dotted-quad form is the 97 address of a host or network. Alternatively, the <tt><i>address</i></tt> argument 98 can be a valid host DNS name. The <tt><i>mask</i></tt> argument expressed in 99 dotted-quad form defaults to 255.255.255.255, meaning that the <tt><i>address</i></tt> is 100 treated as the address of an individual host. A default entry (address 0.0.0.0, 101 mask 0.0.0.0) is always included and is always the first entry in the list. 102 Note that the text string <tt>default</tt>, with no mask option, may be used 103 to indicate the default entry.</dd> 104 105 <dd>Some flags have the effect to deny service, some have the effect to 106 enable service and some are conditioned by other flags. The flags. are 107 not orthogonal, in that more restrictive flags will often make less restrictive 108 ones redundant. The flags that deny service are classed in two categories, 109 those that restrict time service and those that restrict informational queries 110 and attempts to do run-time reconfiguration of the server. One or more of the 111 following flags may be specified:</dd> 112 <dd><dl> 113 114 <dt><tt>flake</tt></dt> 115 <dd>Discard received NTP packets with probability 0.1; that is, on average drop 116 one packet in ten. This is for testing and amusement. The name comes from Bob 117 Braden's <i>flakeway</i>, which once did a similar thing for early Internet 118 testing.</dd> 119 120 <dt><tt>ignore</tt></dt> 121 <dd>Deny packets of all kinds, including <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> 122 123 <dt><tt>kod</tt></dt> 124 <dd>Send a kiss-o'-death (KoD) packet if the <tt>limited</tt> flag is present 125 and a packet violates the rate limits established by the <tt>discard</tt> command. 126 KoD packets are themselves rate limited for each source address separately. 127 If this flag is not present, packets that violate the rate limits are discarded.</dd> 128 129 <dt><tt>limited</tt></dt> 130 <dd>Deny time service if the packet violates the rate limits established by the <tt>discard</tt> command. 131 This does not apply to <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> 132 133 <dt><tt>lowpriotrap</tt></dt> 134 <dd>Declare traps set by matching hosts to be low priority. The number of traps 135 a server can maintain is limited (the current limit is 3). Traps are usually 136 assigned on a first come, first served basis, with later trap requestors being 137 denied service. This flag modifies the assignment algorithm by allowing low 138 priority traps to be overridden by later requests for normal priority traps.</dd> 139 <dt><tt>mssntp</tt></dt> 140 <dd>Enable Microsoft Windows MS-SNTP authentication using Active Directory services. 141 <span class="style1">Note: Potential users should be aware that these services 142 involve a TCP connection to another process that could potentially block, 143 denying services to other users. Therefore, this flag should be used only 144 for a dedicated server with no clients other than MS-SNTP.</span></dd> 145 <dt><tt>nomodify</tt></dt> 146 <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries which attempt to modify the 147 state of the server (i.e., run time reconfiguration). Queries which return information 148 are permitted.</dd> 149 150 <dt><tt>noquery</tt></dt> 151 <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries. Time service is not affected.</dd> 152 153 <dt><tt>nopeer</tt></dt> 154 <dd>Deny packets that might mobilize an association unless authenticated. This 155 includes broadcast, symmetric-active and manycast server packets when a configured 156 association does not exist. Note that this flag does not apply to packets 157 that do not attempt to mobilize an association. </dd> 158 159 <dt><tt>noserve</tt></dt> 160 <dd>Deny all packets except <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> 161 162 <dt><tt>notrap</tt></dt> 163 <dd>Decline to provide mode 6 control message trap service to matching hosts. 164 The trap service is a subsystem of the <tt>ntpdc</tt> control message protocol 165 which is intended for use by remote event logging programs.</dd> 166 167 <dt><tt>notrust</tt></dt> 168 <dd>Deny packets that are not cryptographically authenticated. Note carefully 169 how this flag interacts with the <tt>auth</tt> option of the <tt>enable</tt> and <tt>disable</tt> commands. 170 If <tt>auth</tt> is enabled, which is the default, authentication is required 171 for all packets that might mobilize an association. 172 If <tt>auth</tt> is 173 disabled, but the <tt>notrust</tt> flag is not present, an association can be 174 mobilized whether or not authenticated. If <tt>auth</tt> is disabled, but the <tt>notrust</tt> flag 175 is present, authentication is required only for the specified address/mask 176 range. </dd> 177 178 <dt><tt>ntpport</tt></dt> 179 <dt><tt>non-ntpport</tt></dt> 180 <dd>This is actually a match algorithm modifier, rather than a restriction 181 flag. Its presence causes the restriction entry to be matched only if the 182 source port in the packet is the standard NTP UDP port (123). Both <tt>ntpport</tt> and <tt>non-ntpport</tt> may 183 be specified. The <tt>ntpport</tt> is considered more specific and is sorted 184 later in the list.</dd> 185 <dt><tt>version</tt></dt> 186 <dd>Deny packets that do not match the current NTP version.</dd> 187 </dl> 188 </dd> 189 <dd>Default restriction list entries with the flags <tt>ignore, ntpport</tt>, 190 for each of the local host's interface addresses are inserted into the table 191 at startup to prevent the server from attempting to synchronize to its own time. 192 A default entry is also always present, though if it is otherwise unconfigured; 193 no flags are associated with the default entry (i.e., everything besides your 194 own NTP server is unrestricted).</dd> 195 </dl> 196 197 <hr> 198 <script type="text/javascript" language="javascript" src="scripts/footer.txt"></script> 199 200 </body> 201 202 </html>
Indexes created Sun Apr 19 00:22:55 UTC 2026