19c2daa00SOllivier Robert<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 29c2daa00SOllivier Robert<html> 39c2daa00SOllivier Robert<head> 49c2daa00SOllivier Robert<meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> 59c2daa00SOllivier Robert<meta name="generator" content="HTML Tidy, see www.w3.org"> 69c2daa00SOllivier Robert<title>Access Control Commands and Options</title> <!-- Changed by: Harlan 79c2daa00SOllivier Robert&, 13-Nov-2014 --> 89c2daa00SOllivier Robert<link href="scripts/style.css" type="text/css" rel="stylesheet"> 99c2daa00SOllivier Robert<style type="text/css"> 109c2daa00SOllivier Robert<!-- 119c2daa00SOllivier Robert<style1 { 129c2daa00SOllivier Robertcolor: #FF0000; font-weight: bold; } --> 139c2daa00SOllivier Robert</style> 149c2daa00SOllivier Robert</head> 159c2daa00SOllivier Robert<body> 169c2daa00SOllivier Robert<h3>Access Control Commands and Options</h3> 179c2daa00SOllivier Robert<img src="pic/pogo6.gif" alt="gif" 189c2daa00SOllivier Robertalign="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, 199c2daa00SOllivier RobertWalt Kelly</a> 209c2daa00SOllivier Robert<p>The skunk watches for intruders and sprays.</p> 219c2daa00SOllivier Robert<p>Last update: <!-- #BeginDate format:En2m -->7-Jan-2018 23:56<!-- #EndDate 229c2daa00SOllivier Robert --> UTC</p> 239c2daa00SOllivier Robert<br clear="left"> 249c2daa00SOllivier Robert<h4>Related Links</h4> 259c2daa00SOllivier Robert<script type="text/javascript" language="javascript" 269c2daa00SOllivier Robertsrc="scripts/command.txt"></script> 279c2daa00SOllivier Robert<script type="text/javascript" language="javascript" 289c2daa00SOllivier Robertsrc="scripts/accopt.txt"></script> 299c2daa00SOllivier Robert<hr> 309c2daa00SOllivier Robert<h4>Commands and Options</h4> 319c2daa00SOllivier Robert<p>Unless noted otherwise, further information about these ccommands is on 329c2daa00SOllivier Robertthe <a href="accopt.html">Access Control Support</a> page.</p> 339c2daa00SOllivier Robert<dl> 349c2daa00SOllivier Robert <dt id="discard"><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ] 359c2daa00SOllivier Robert [ monitor <i>prob</i> ]</tt></dt> 369c2daa00SOllivier Robert <dd>Set the parameters of the rate control facility which protects the 379c2daa00SOllivier Robert server from client abuse. If the <tt>limited</tt> flag is present in the 389c2daa00SOllivier Robert ACL, packets that violate these limits are discarded. If, in addition, 399c2daa00SOllivier Robert the <tt>kod</tt> flag is present, a kiss-o'-death packet is 409c2daa00SOllivier Robert returned. See the <a href="rate.html">Rate Management</a> page for 419c2daa00SOllivier Robert further information. The options are: 429c2daa00SOllivier Robert <dl> 439c2daa00SOllivier Robert <dt><tt>average <i>avg</i></tt></dt> 449c2daa00SOllivier Robert <dd>Specify the minimum average interpacket spacing (minimum average 459c2daa00SOllivier Robert headway time) in log<sub>2</sub> s with default 3.</dd> 469c2daa00SOllivier Robert <dt><tt>minimum <i>min</i></tt></dt> 479c2daa00SOllivier Robert <dd>Specify the minimum interpacket spacing (guard time) in seconds 489c2daa00SOllivier Robert with default 2.</dd> 499c2daa00SOllivier Robert <dt><tt>monitor</tt></dt> 509c2daa00SOllivier Robert <dd>Specify the probability of being recorded for packets that 519c2daa00SOllivier Robert overflow the MRU list size limit set by <tt>mru maxmem</tt> 529c2daa00SOllivier Robert or <tt>mru maxdepth</tt>. This is a performance optimization for 539c2daa00SOllivier Robert servers with aggregate arrivals of 1000 packets per second or 549c2daa00SOllivier Robert more.</dd> 559c2daa00SOllivier Robert </dl> 569c2daa00SOllivier Robert </dd> 579c2daa00SOllivier Robert <dt id="restrict"><tt>restrict [-4 | -6] default [ippeerlimit <i>num</i>] 589c2daa00SOllivier Robert [<i>flag</i>][...]</tt></dt> 599c2daa00SOllivier Robert <dt><tt>restrict source [ippeerlimit <i>num</i>] 609c2daa00SOllivier Robert [<i>flag</i>][...]</tt></dt> 619c2daa00SOllivier Robert <dt><tt>restrict <i>address</i> [mask <i>mask</i>] 629c2daa00SOllivier Robert [ippeerlimit <i>num</i>] [<i>flag</i>][...]</tt></dt> 639c2daa00SOllivier Robert <dd>The <tt><i>address</i></tt> argument expressed in IPv4 or IPv6 numeric 649c2daa00SOllivier Robert address form is the address of a host or network. Alternatively, 659c2daa00SOllivier Robert the <tt><i>address</i></tt> argument can be a valid host DNS 669c2daa00SOllivier Robert name. The <tt><i>mask</i></tt> argument expressed in IPv4 or IPv6 679c2daa00SOllivier Robert numeric address form defaults to all mask bits on, meaning that 689c2daa00SOllivier Robert the <tt><i>address</i></tt> is treated as the address of an individual 699c2daa00SOllivier Robert host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and 709c2daa00SOllivier Robert address :: mask :: for IPv6) is always the first entry in the 71 list. <tt>restrict default</tt>, with no mask option, modifies both IPv4 72 and IPv6 default entries. <tt>restrict source</tt> configures a template 73 restriction automatically added at runtime for each association, whether 74 configured, ephemeral, or preemptible, and removed when the association 75 is demobilized.</dd> 76 <dd>The optional <tt>ippeerlimit</tt> takes a numeric argument that 77 indicates how many incoming (at present) peer requests will be permitted 78 for each IP, regardless of whether or not the request comes from an 79 authenticated source. A value of -1 means "unlimited", which is the 80 current default. A value of 0 means "none". Ordinarily one would 81 expect at most 1 of these sessions to exist per IP, however if the 82 remote side is operating thru a proxy there would be one association for 83 each remote peer at that IP.</dd> 84 <dd>Some flags have the effect to deny service, some have the effect to 85 enable service and some are conditioned by other flags. The flags are 86 not orthogonal, in that more restrictive flags will often make less 87 restrictive ones redundant. The flags that deny service are classed in 88 two categories, those that restrict time service and those that restrict 89 informational queries and attempts to do run-time reconfiguration of the 90 server. One or more of the following flags may be specified:</dd> 91 <dd> 92 <dl> 93 <dt><tt>flake</tt></dt> 94 <dd>Discard received NTP packets with probability 0.1; that is, on 95 average drop one packet in ten. This is for testing and 96 amusement. The name comes from Bob Braden's <i>flakeway</i>, which 97 once did a similar thing for early Internet testing.</dd> 98 <dt><tt>ignore</tt></dt> 99 <dd>Deny packets of all kinds, including <tt>ntpq</tt> 100 and <tt>ntpdc</tt> queries.</dd> 101 <dt><tt>kod</tt></dt> 102 <dd>Send a kiss-o'-death (KoD) packet if the <tt>limited</tt> flag is 103 present and a packet violates the rate limits established by 104 the <tt>discard</tt> command. KoD packets are themselves rate 105 limited for each source address separately. If the <tt>kod</tt> flag 106 is used in a restriction which does not have the <tt>limited</tt> 107 flag, no KoD responses will result.</dd> 108 <dt id="limited"><tt>limited</tt></dt> 109 <dd>Deny time service if the packet violates the rate limits 110 established by the <tt>discard</tt> command. This does not apply 111 to <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> 112 <dt><tt>lowpriotrap</tt></dt> 113 <dd>Declare traps set by matching hosts to be low priority. The number 114 of traps a server can maintain is limited (the current limit is 115 3). Traps are usually assigned on a first come, first served basis, 116 with later trap requestors being denied service. This flag modifies 117 the assignment algorithm by allowing low priority traps to be 118 overridden by later requests for normal priority traps.</dd> 119 <dt><tt>mssntp</tt></dt> 120 <dd>Enable Microsoft Windows MS-SNTP authentication using Active 121 Directory services. <span class="style1"><b>Note: Potential users 122 should be aware that these services involve a TCP connection to 123 another process that could potentially block, denying services to 124 other users. Therefore, this flag should be used only for a 125 dedicated server with no clients other than MS-SNTP.</b></span></dd> 126 <dt><tt>noepeer</tt></dt> 127 <dd>Deny packets that would mobilize an ephemeral peering association, 128 even if authenticated.</dd> 129 <dt><tt>nomodify</tt></dt> 130 <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries which attempt to 131 modify the state of the server (i.e., run time 132 reconfiguration). Queries which return information are 133 permitted.</dd> 134 <dt><tt>noquery</tt></dt> 135 <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries. Time service is not 136 affected.</dd> 137 <dt><tt>nopeer</tt></dt> 138 <dd>Deny packets that might mobilize an association unless 139 authenticated. This includes broadcast, symmetric-active and 140 manycast server packets when a configured association does not 141 exist. It also includes <tt>pool</tt> associations, so if you want 142 to use servers from a <tt>pool</tt> directive and also want to 143 use <tt>nopeer</tt> by default, you'll want a <tt>"restrict source 144 ..."</tt> line as well that does <i>not</i> include 145 the <tt>nopeer</tt> directive. Note that this flag does not apply 146 to packets that do not attempt to mobilize an association. </dd> 147 <dt><tt>noserve</tt></dt> 148 <dd>Deny all packets except <tt>ntpq</tt> and <tt>ntpdc</tt> 149 queries.</dd> 150 <dt><tt>notrap</tt></dt> 151 <dd>Decline to provide mode 6 control message trap service to matching 152 hosts. The trap service is a subsystem of the <tt>ntpdc</tt> control 153 message protocol which is intended for use by remote event logging 154 programs.</dd> 155 <dt><tt>notrust</tt></dt> 156 <dd>Deny packets that are not cryptographically authenticated. Note 157 carefully how this flag interacts with the <tt>auth</tt> option of 158 the <tt>enable</tt> and <tt>disable</tt> commands. If <tt>auth</tt> 159 is enabled, which is the default, authentication is required for all 160 packets that might mobilize an association. If <tt>auth</tt> is 161 disabled, but the <tt>notrust</tt> flag is not present, an 162 association can be mobilized whether or not 163 authenticated. If <tt>auth</tt> is disabled, but 164 the <tt>notrust</tt> flag is present, authentication is required 165 only for the specified address/mask range. </dd> 166 <dt><tt>ntpport</tt></dt> 167 <dd>This is actually a match algorithm modifier, rather than a 168 restriction flag. Its presence causes the restriction entry to be 169 matched only if the source port in the packet is the standard NTP 170 UDP port (123). A restrict line containing <tt>ntpport</tt> is 171 considered more specific than one with the same address and mask, 172 but lacking <tt>ntpport</tt>.</dd> 173 <dt><tt>serverresponse fuzz</tt></dt> 174 <dd>When reponding to server requests, fuzz the low order bits of 175 the <tt>reftime</tt>.</dd> 176 <dt><tt>version</tt></dt> 177 <dd>Deny packets that do not match the current NTP version.</dd> 178 </dl> 179 </dd> 180 <dd>Default restriction list entries with the flags <tt>ignore, 181 ntpport</tt>, for each of the local host's interface addresses are 182 inserted into the table at startup to prevent the server from 183 attempting to synchronize to its own time. A default entry is also 184 always present, though if it is otherwise unconfigured; no flags are 185 associated with the default entry (i.e., everything besides your own 186 NTP server is unrestricted).</dd> 187</dl> 188<hr> 189<script type="text/javascript" language="javascript" 190src="scripts/footer.txt"></script> 191</body> 192</html> 193