ntp_acc man page on Scientific

Man page or keyword search:  
man Server   26626 pages
apropos Keyword Search (all sections)
Output format
Scientific logo
[printable version]

ntp_acc(5)							    ntp_acc(5)

NAME
       ntp_acc - Access Control Options

ACCESS CONTROL SUPPORT
       The  ntpd daemon implements a general purpose access control list (ACL)
       containing address/match entries sorted	first  by  increasing  address
       values and then by increasing mask values. A match occurs when the bit‐
       wise AND of the mask and the packet source address is equal to the bit‐
       wise  AND  of the mask and address in the list. The list is searched in
       order with the last match found defining the restriction flags  associ‐
       ated with the entry.

       An  example  may	 clarify how it works. Our campus has two class-B net‐
       works, 128.4 for the ECE and CIS departments and 128.175 for  the  rest
       of  campus. Let's assume (not true!) that subnet 128.4.1 homes critical
       services like class rosters and spread sheets. A suitable ACL might be

       restrict default nopeer			    # deny new associations
       restrict 128.175.0.0 mask 255.255.0.0	    # allow campus access
       restrict 128.4.0.0 mask 255.255.0.0 none	    # allow ECE and CIS access
       restrict 128.4.1.0 mask 255.255.255.0 notrust # require authentication on subnet 1
       restrict time.nist.gov				 # allow access

       While this facility may be useful for keeping unwanted, broken or mali‐
       cious  clients  from congesting innocent servers, it should not be con‐
       sidered an alternative to the  NTP  authentication  facilities.	Source
       address	based  restrictions  are  easily  circumvented by a determined
       cracker.

ACCESS CONTROL COMMANDS
       discard [ average avg ][ minimum min ] [ monitor prob ]
	       Set the parameters of the rate control facility which  protects
	       the server from client abuse. If the limited flag is present in
	       the ACL, packets that violate these limits are discarded. If in
	       addition the kod restriction is present, a kiss-o'-death packet
	       is returned.

	       average avg
		       Specify the minimum average interpacket spacing	(mini‐
		       mum average headway time) in log2 s with default 3.

	       minimum min
		       Specify the minimum interpacket spacing (guard time) in
		       log2 s with default 1.

	       monitor Specify the probability of  discard  for	 packets  that
		       overflow the rate-control window. This is a performance
		       optimization for servers	 with  aggregate  arrivals  of
		       1000 packets per second or more.

       restrict address [mask mask] [flag][...]
	       The  address  argument  expressed  in  dotted-quad  form is the
	       address of a host or network. Alternatively, the address	 argu‐
	       ment  can be a valid host DNS name. The mask argument expressed
	       in dotted-quad form defaults to 255.255.255.255,	 meaning  that
	       the  address is treated as the address of an individual host. A
	       default	entry  (address	 0.0.0.0,  mask	 0.0.0.0)  is	always
	       included	 and  is always the first entry in the list. Note that
	       the text string default, with no mask option, may  be  used  to
	       indicate the default entry.  Some flags have the effect to deny
	       service, some have the effect to enable service	and  some  are
	       conditioned  by	other flags. The flags. are not orthogonal, in
	       that more restrictive flags will often  make  less  restrictive
	       ones  redundant. The flags that deny service are classed in two
	       categories, those that restrict time  service  and  those  that
	       restrict	 informational	queries	 and  attempts	to do run-time
	       reconfiguration of the server. One or  more  of	the  following
	       flags may be specified:

	       flake   Discard received NTP packets with probability 0.1; that
		       is, on average drop one packet  in  ten.	 This  is  for
		       testing and amusement. The name comes from Bob Braden's
		       flakeway, which once did	 a  similar  thing  for	 early
		       Internet testing.

	       ignore  Deny  packets  of  all  kinds, including ntpq and ntpdc
		       queries.

	       kod     Send a kiss-o'-death (KoD) packet if the	 limited  flag
		       is present and a packet violates the rate limits estab‐
		       lished by the discard command. KoD  packets  are	 them‐
		       selves rate limited for each source address separately.
		       If this flag is not present, packets that  violate  the
		       rate limits are discarded.

	       limited Deny  time service if the packet violates the rate lim‐
		       its established by the discard command. This  does  not
		       apply to ntpq and ntpdc queries.

	       lowpriotrap
		       Declare traps set by matching hosts to be low priority.
		       The number of traps a server can	 maintain  is  limited
		       (the current limit is 3). Traps are usually assigned on
		       a first come,  first  served  basis,  with  later  trap
		       requestors being denied service. This flag modifies the
		       assignment algorithm by allowing low priority traps  to
		       be  overridden  by  later  requests for normal priority
		       traps.

	       mssntp  Enable Microsoft Windows MS-SNTP	 authentication	 using
		       Active Directory services. Note: Potential users should
		       be aware that these services involve a  TCP  connection
		       to  another process that could potentially block, deny‐
		       ing services  to	 other	users.	Therefore,  this  flag
		       should  be  used	 only  for  a dedicated server with no
		       clients other than MS-SNTP.

	       nomodify
		       Deny ntpq and ntpdc queries which attempt to modify the
		       state  of  the server (i.e., run time reconfiguration).
		       Queries which return information are permitted.

	       noquery Deny ntpq  and  ntpdc  queries.	Time  service  is  not
		       affected.

	       nopeer  Deny  packets that might mobilize an association unless
		       authenticated.  This  includes  broadcast,   symmetric-
		       active  and  manycast  server packets when a configured
		       association does not exist. Note that  this  flag  does
		       not apply to packets that do not attempt to mobilize an
		       association.

	       noserve Deny all packets except ntpq and ntpdc queries.

	       notrap  Decline to provide mode 6 control message trap  service
		       to  matching  hosts. The trap service is a subsystem of
		       the ntpdc control message protocol  which  is  intended
		       for use by remote event logging programs.

	       notrust Deny  packets  that are not cryptographically authenti‐
		       cated. Note carefully how this flag interacts with  the
		       auth option of the enable and disable commands. If auth
		       is enabled, which is  the  default,  authentication  is
		       required for all packets that might mobilize an associ‐
		       ation. If auth is disabled, but the notrust flag is not
		       present, an association can be mobilized whether or not
		       authenticated. If auth is  disabled,  but  the  notrust
		       flag  is	 present,  authentication is required only for
		       the specified address/mask range.

	       ntpport

	       non-ntpport
		       This is actually a  match  algorithm  modifier,	rather
		       than  a	restriction  flag.  Its	 presence  causes  the
		       restriction entry to be matched only if the source port
		       in  the packet is the standard NTP UDP port (123). Both
		       ntpport and non-ntpport may be specified.  The  ntpport
		       is  considered more specific and is sorted later in the
		       list.

	       version Deny packets that do not match the current NTP version.

       Default restriction list entries with the flags	ignore,	 ntpport,  for
       each  of the local host's interface addresses are inserted into the ta‐
       ble at startup to prevent the server from attempting to synchronize  to
       its  own	 time. A default entry is also always present, though if it is
       otherwise unconfigured; no flags are associated with the default	 entry
       (i.e., everything besides your own NTP server is unrestricted).

SEE ALSO
       ntp.conf(5)

       The official HTML documentation.

       This file was automatically generated from HTML source.

								    ntp_acc(5)
[top]

List of man pages available for Scientific

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net