File: [cvs.NetBSD.org] / src / etc / ntp.conf (download)
Revision 1.9.36.1, Mon Jan 6 19:24:42 2014 UTC (10 years, 3 months ago) by bouyer
Branch: netbsd-5-2
CVS Tags: netbsd-5-2-3-RELEASE, netbsd-5-2-2-RELEASE
Changes since 1.9: +75 -40
lines
etc/ntp.conf 1.16, 1.17, 1.18 via patch
external/bsd/ntp/dist/ntpd/ntp_request.c patch
Patch from ntp 4.2.7p404 to prevent an amplifier and DoS attack.
Add several "restrict" lines to the default ntp.conf and
improve comments
[spz, ticket #1895]
|
# $NetBSD: ntp.conf,v 1.9.36.1 2014/01/06 19:24:42 bouyer Exp $
#
# NetBSD default Network Time Protocol (NTP) configuration file for ntpd
# This file is intended to be both a usable default, and a Quick-Start
# Guide. The directives and options listed here are not at all complete.
# A great deal of additional documentation, including links to FAQS and
# other guides, may be found on the official NTP web site, in particular
#
# http://www.ntp.org/documentation.html
#
# Process ID file, so that the daemon can be signalled from scripts
pidfile /var/run/ntpd.pid
# The correction calculated by ntpd(8) for the local system clock's
# drift is stored here.
driftfile /var/db/ntp.drift
# Suppress the syslog(3) message for each peer synchronization change.
logconfig -syncstatus
# Refuse to set the local clock if there are too few good peers or servers.
# This may help minimize disruptions due to network congestion. Don't
# do this if you configure only one server!
tos minsane 2
# Access control restrictions.
# See /usr/share/doc/html/ntp/accopt.html for syntax.
# See <http://support.ntp.org/bin/view/Support/AccessRestrictions> for advice.
# Last match wins.
#
# Some of the more common keywords are:
# ignore Deny packets of all kinds.
# kod Send "kiss-o'-death" packets if clients exceed rate
# limits.
# nomodify Deny attempts to modify the state of the server via
# ntpq or ntpdc queries.
# noquery Deny all ntpq and ntpdc queries. Does not affect time
# synchronisation.
# nopeer Prevent establishing an new peer association.
# Does not affect preconfigured peer associations.
# Does not affect client/server time synchronisation.
# noserve Deny all time synchronisation. Does not affect ntpq or
# ntpdc queries.
# notrap Deny the trap subset of the ntpdc control message protocol.
# notrust Deny packets that are not cryptographically authenticated.
#
# By default, either deny everything, or allow client/server time exchange
# but deny configuration changes, queries, and peer associations that were not
# explicitly configured.
# (Uncomment one of the following "restrict default" lines.)
#
#restrict default ignore
restrict default kod nopeer noquery
# Fewer restrictions for the local subnet.
# (Uncomment and adjust as appropriate.)
#
#restrict 192.0.2.0 mask 255.255.255.0 kod nomodify notrap nopeer
#restrict 2001:db8:: mask ffff:ffff:: kod nomodify notrap nopeer
# No restrictions for localhost.
#
restrict 127.0.0.1
restrict ::1
# Hereafter should be "server" or "peer" statements to configure other
# hosts to exchange NTP packets with.
#
# See <http://support.ntp.org/bin/view/Support/DesigningYourNTPNetwork>
# and <http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers>
# for advice.
#
# Peers should be selected in such a way that the network path to them
# is short, uncongested, and symmetric (that is, the series of links
# and routers used to get to the peer is the same one that the peer
# uses to get back). The best place to start looking for NTP peers for
# your system is within your own network, or at your Internet Service
# Provider (ISP).
#
# Ideally, you should select at least three other systems to talk NTP
# with, for an "what I tell you three times is true" effect.
#
# A "restrict" line for each configured peer or server might be necessary,
# if the "restrict default" settings are very restrictive. As a courtesy
# to configured peers and servers, consider allowing them to query.
#peer an.ntp.peer.goes.here
#server an.ntp.server.goes.here
#restrict an.ntp.server.goes.here nomodify notrap
# The pool.ntp.org project coordinates public time servers provided by
# volunteers. See <http://www.pool.ntp.org>. The *.netbsd.pool.ntp.org
# servers are intended to be used by default on NetBSD hosts, but
# servers that are closer to you are likely to be better. Consider
# using servers specific to your country, a nearby country, or your
# continent.
#
# The pool.ntp.org project needs more volunteers! The only criteria to
# join are a nailed-up connection and a static IP address. For details,
# see the web page:
#
# http://www.pool.ntp.org/join.html
#
server 0.netbsd.pool.ntp.org
restrict 0.netbsd.pool.ntp.org nomodify notrap
server 1.netbsd.pool.ntp.org
restrict 1.netbsd.pool.ntp.org nomodify notrap
server 2.netbsd.pool.ntp.org
restrict 2.netbsd.pool.ntp.org nomodify notrap
server 3.netbsd.pool.ntp.org
restrict 3.netbsd.pool.ntp.org nomodify notrap
![[BACK]](/icons/back.gif){kind=icon}
Return to ntp.conf CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / etc