diff options
Diffstat (limited to 'contrib/ntp/html/accopt.html')
-rw-r--r-- | contrib/ntp/html/accopt.html | 182 |
1 files changed, 139 insertions, 43 deletions
diff --git a/contrib/ntp/html/accopt.html b/contrib/ntp/html/accopt.html index 6caff48..4417a8c 100644 --- a/contrib/ntp/html/accopt.html +++ b/contrib/ntp/html/accopt.html @@ -3,89 +3,185 @@ <head> <meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> <meta name="generator" content="HTML Tidy, see www.w3.org"> -<title>Access Control Commands and Options</title> -<!-- Changed by: Harlan &, 13-Nov-2014 --> +<title>Access Control Commands and Options</title> <!-- Changed by: Harlan +&, 13-Nov-2014 --> <link href="scripts/style.css" type="text/css" rel="stylesheet"> <style type="text/css"> <!-- <style1 { -color: #FF0000; - font-weight: bold; -} ---> +color: #FF0000; font-weight: bold; } --> </style> </head> <body> <h3>Access Control Commands and Options</h3> -<img src="pic/pogo6.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a> +<img src="pic/pogo6.gif" alt="gif" +align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, +Walt Kelly</a> <p>The skunk watches for intruders and sprays.</p> -<p>Last update: - <!-- #BeginDate format:En2m -->13-Nov-2014 03:00<!-- #EndDate --> - UTC</p> +<p>Last update: <!-- #BeginDate format:En2m -->7-Jan-2018 23:56<!-- #EndDate + --> UTC</p> <br clear="left"> <h4>Related Links</h4> -<script type="text/javascript" language="javascript" src="scripts/command.txt"></script> -<script type="text/javascript" language="javascript" src="scripts/accopt.txt"></script> +<script type="text/javascript" language="javascript" +src="scripts/command.txt"></script> +<script type="text/javascript" language="javascript" +src="scripts/accopt.txt"></script> <hr> <h4>Commands and Options</h4> -<p>Unless noted otherwise, further information about these ccommands is on the <a href="accopt.html">Access Control Support</a> page.</p> +<p>Unless noted otherwise, further information about these ccommands is on +the <a href="accopt.html">Access Control Support</a> page.</p> <dl> - <dt id="discard"><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ] [ monitor <i>prob</i> ]</tt></dt> - <dd>Set the parameters of the rate control facility which protects the server from client abuse. If the <tt>limited</tt> flag is present in the ACL, packets that violate these limits are discarded. If, in addition, the <tt>kod</tt> flag is present, a kiss-o'-death packet is returned. See the <a href="rate.html">Rate Management</a> page for further information. The options are: + <dt id="discard"><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ] + [ monitor <i>prob</i> ]</tt></dt> + <dd>Set the parameters of the rate control facility which protects the + server from client abuse. If the <tt>limited</tt> flag is present in the + ACL, packets that violate these limits are discarded. If, in addition, + the <tt>kod</tt> flag is present, a kiss-o'-death packet is + returned. See the <a href="rate.html">Rate Management</a> page for + further information. The options are: <dl> <dt><tt>average <i>avg</i></tt></dt> - <dd>Specify the minimum average interpacket spacing (minimum average headway - time) in log<sub>2</sub> s with default 3.</dd> + <dd>Specify the minimum average interpacket spacing (minimum average + headway time) in log<sub>2</sub> s with default 3.</dd> <dt><tt>minimum <i>min</i></tt></dt> - <dd>Specify the minimum interpacket spacing (guard time) in seconds with default 2.</dd> + <dd>Specify the minimum interpacket spacing (guard time) in seconds + with default 2.</dd> <dt><tt>monitor</tt></dt> - <dd>Specify the probability of being recorded for packets that overflow the MRU list size limit set by <tt>mru maxmem</tt> or <tt>mru maxdepth</tt>. This is a performance optimization for servers with aggregate arrivals of 1000 packets per second or more.</dd> + <dd>Specify the probability of being recorded for packets that + overflow the MRU list size limit set by <tt>mru maxmem</tt> + or <tt>mru maxdepth</tt>. This is a performance optimization for + servers with aggregate arrivals of 1000 packets per second or + more.</dd> </dl> </dd> - <dt id="restrict"><tt>restrict default [<i>flag</i>][...]<br> - restrict source [<i>flag</i>][...]<br> - restrict <i>address</i> [mask <i>mask</i>] [<i>flag</i>][...]</tt></dt> - <dd>The <tt><i>address</i></tt> argument expressed in dotted-quad form is the address of a host or network. Alternatively, the <tt><i>address</i></tt> argument can be a valid host DNS name. The <tt><i>mask</i></tt> argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the <tt><i>address</i></tt> is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. <tt>restrict default</tt>, with no mask option, modifies both IPv4 and IPv6 default entries. <tt>restrict source</tt> configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized.</dd> - <dd>Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:</dd> + <dt id="restrict"><tt>restrict [-4 | -6] default [ippeerlimit <i>num</i>] + [<i>flag</i>][...]<br> restrict source [ippeerlimit <i>num</i>] + [<i>flag</i>][...]<br> restrict <i>address</i> [mask <i>mask</i>] + [ippeerlimit <i>num</i>] [<i>flag</i>][...]</tt></dt> + <dd>The <tt><i>address</i></tt> argument expressed in IPv4 or IPv6 numeric + address form is the address of a host or network. Alternatively, + the <tt><i>address</i></tt> argument can be a valid host DNS + name. The <tt><i>mask</i></tt> argument expressed in IPv4 or IPv6 + numeric address form defaults to all mask bits on, meaning that + the <tt><i>address</i></tt> is treated as the address of an individual + host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and + address :: mask :: for IPv6) is always the first entry in the + list. <tt>restrict default</tt>, with no mask option, modifies both IPv4 + and IPv6 default entries. <tt>restrict source</tt> configures a template + restriction automatically added at runtime for each association, whether + configured, ephemeral, or preemptible, and removed when the association + is demobilized.</dd> + <dd>The optional <tt>ippeerlimit</tt> takes a numeric argument that + indicates how many incoming (at present) peer requests will be permitted + for each IP, regardless of whether or not the request comes from an + authenticated source. A value of -1 means "unlimited", which is the + current default. A value of 0 means "none". Ordinarily one would + expect at most 1 of these sessions to exist per IP, however if the + remote side is operating thru a proxy there would be one association for + each remote peer at that IP.</dd> + <dd>Some flags have the effect to deny service, some have the effect to + enable service and some are conditioned by other flags. The flags are + not orthogonal, in that more restrictive flags will often make less + restrictive ones redundant. The flags that deny service are classed in + two categories, those that restrict time service and those that restrict + informational queries and attempts to do run-time reconfiguration of the + server. One or more of the following flags may be specified:</dd> <dd> <dl> <dt><tt>flake</tt></dt> - <dd>Discard received NTP packets with probability 0.1; that is, on average drop one packet in ten. This is for testing and amusement. The name comes from Bob Braden's <i>flakeway</i>, which once did a similar thing for early Internet testing.</dd> + <dd>Discard received NTP packets with probability 0.1; that is, on + average drop one packet in ten. This is for testing and + amusement. The name comes from Bob Braden's <i>flakeway</i>, which + once did a similar thing for early Internet testing.</dd> <dt><tt>ignore</tt></dt> - <dd>Deny packets of all kinds, including <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> + <dd>Deny packets of all kinds, including <tt>ntpq</tt> + and <tt>ntpdc</tt> queries.</dd> <dt><tt>kod</tt></dt> - <dd>Send a kiss-o'-death (KoD) packet if the <tt>limited</tt> flag is present and a packet violates the rate limits established by the <tt>discard</tt> command. KoD packets are themselves rate limited for each source address separately. If the <tt>kod</tt> flag is used in a restriction which does not have the <tt>limited</tt> flag, no KoD responses will result.</dd> + <dd>Send a kiss-o'-death (KoD) packet if the <tt>limited</tt> flag is + present and a packet violates the rate limits established by + the <tt>discard</tt> command. KoD packets are themselves rate + limited for each source address separately. If the <tt>kod</tt> flag + is used in a restriction which does not have the <tt>limited</tt> + flag, no KoD responses will result.</dd> <dt id="limited"><tt>limited</tt></dt> - <dd>Deny time service if the packet violates the rate limits established by the <tt>discard</tt> command. This does not apply to <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> + <dd>Deny time service if the packet violates the rate limits + established by the <tt>discard</tt> command. This does not apply + to <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> <dt><tt>lowpriotrap</tt></dt> - <dd>Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps.</dd> + <dd>Declare traps set by matching hosts to be low priority. The number + of traps a server can maintain is limited (the current limit is + 3). Traps are usually assigned on a first come, first served basis, + with later trap requestors being denied service. This flag modifies + the assignment algorithm by allowing low priority traps to be + overridden by later requests for normal priority traps.</dd> <dt><tt>mssntp</tt></dt> - <dd>Enable Microsoft Windows MS-SNTP authentication using Active Directory services. <span class="style1"><b>Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated server with no clients other than MS-SNTP.</b></span></dd> + <dd>Enable Microsoft Windows MS-SNTP authentication using Active + Directory services. <span class="style1"><b>Note: Potential users + should be aware that these services involve a TCP connection to + another process that could potentially block, denying services to + other users. Therefore, this flag should be used only for a + dedicated server with no clients other than MS-SNTP.</b></span></dd> + <dt><tt>noepeer</tt></dt> + <dd>Deny packets that would mobilize an ephemeral peering association, + even if authenticated.</dd> <dt><tt>nomodify</tt></dt> - <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted.</dd> + <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries which attempt to + modify the state of the server (i.e., run time + reconfiguration). Queries which return information are + permitted.</dd> <dt><tt>noquery</tt></dt> - <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries. Time service is not affected.</dd> + <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries. Time service is not + affected.</dd> <dt><tt>nopeer</tt></dt> - <dd>Deny packets that might mobilize an association unless authenticated. This includes broadcast, symmetric-active and manycast server packets when a configured association does not exist. It also includes <tt>pool</tt> associations, so if you want to use servers from a <tt>pool</tt> directive and also want to use <tt>nopeer</tt> by default, you'll want a <tt>"restrict source ..."</tt> line as well that does <i>not</i> include the <tt>nopeer</tt> directive. Note that this flag does not apply to packets that do not attempt to mobilize an association. </dd> + <dd>Deny packets that might mobilize an association unless + authenticated. This includes broadcast, symmetric-active and + manycast server packets when a configured association does not + exist. It also includes <tt>pool</tt> associations, so if you want + to use servers from a <tt>pool</tt> directive and also want to + use <tt>nopeer</tt> by default, you'll want a <tt>"restrict source + ..."</tt> line as well that does <i>not</i> include + the <tt>nopeer</tt> directive. Note that this flag does not apply + to packets that do not attempt to mobilize an association. </dd> <dt><tt>noserve</tt></dt> - <dd>Deny all packets except <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> + <dd>Deny all packets except <tt>ntpq</tt> and <tt>ntpdc</tt> + queries.</dd> <dt><tt>notrap</tt></dt> - <dd>Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the <tt>ntpdc</tt> control message protocol which is intended for use by remote event logging programs.</dd> + <dd>Decline to provide mode 6 control message trap service to matching + hosts. The trap service is a subsystem of the <tt>ntpdc</tt> control + message protocol which is intended for use by remote event logging + programs.</dd> <dt><tt>notrust</tt></dt> - <dd>Deny packets that are not cryptographically authenticated. Note carefully how this flag interacts with the <tt>auth</tt> option of the <tt>enable</tt> and <tt>disable</tt> commands. If <tt>auth</tt> is enabled, which is the default, authentication is required for all packets that might mobilize an association. If <tt>auth</tt> is disabled, but the <tt>notrust</tt> flag is not present, an association can be mobilized whether or not authenticated. If <tt>auth</tt> is disabled, but the <tt>notrust</tt> flag is present, authentication is required only for the specified address/mask range. </dd> + <dd>Deny packets that are not cryptographically authenticated. Note + carefully how this flag interacts with the <tt>auth</tt> option of + the <tt>enable</tt> and <tt>disable</tt> commands. If <tt>auth</tt> + is enabled, which is the default, authentication is required for all + packets that might mobilize an association. If <tt>auth</tt> is + disabled, but the <tt>notrust</tt> flag is not present, an + association can be mobilized whether or not + authenticated. If <tt>auth</tt> is disabled, but + the <tt>notrust</tt> flag is present, authentication is required + only for the specified address/mask range. </dd> <dt><tt>ntpport</tt></dt> - <dd>This is actually a match algorithm modifier, rather than a restriction - flag. Its presence causes the restriction entry to be matched only if the - source port in the packet is the standard NTP UDP port (123). A restrict line - containing <tt>ntpport</tt> is considered more specific than one with the - same address and mask, but lacking <tt>ntpport</tt>.</dd> + <dd>This is actually a match algorithm modifier, rather than a + restriction flag. Its presence causes the restriction entry to be + matched only if the source port in the packet is the standard NTP + UDP port (123). A restrict line containing <tt>ntpport</tt> is + considered more specific than one with the same address and mask, + but lacking <tt>ntpport</tt>.</dd> <dt><tt>version</tt></dt> <dd>Deny packets that do not match the current NTP version.</dd> </dl> </dd> - <dd>Default restriction list entries with the flags <tt>ignore, ntpport</tt>, for each of the local host's interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted).</dd> + <dd>Default restriction list entries with the flags <tt>ignore, + ntpport</tt>, for each of the local host's interface addresses are + inserted into the table at startup to prevent the server from + attempting to synchronize to its own time. A default entry is also + always present, though if it is otherwise unconfigured; no flags are + associated with the default entry (i.e., everything besides your own + NTP server is unrestricted).</dd> </dl> <hr> -<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script> +<script type="text/javascript" language="javascript" +src="scripts/footer.txt"></script> </body> </html> |