The skunk watches for intruders and sprays. |
1. Related Links
1.1. Access Control Commands and Options
2. Commands and Options
Unless noted otherwise, further information about these commands is on the Access Control Support page.
limit
[average
average] [burst
burst] [kod
kod]-
Set the parameters of the limited facility which protects the server from client abuse. Internally, each MRU slot contains a score in units of packets per second. It is updated each time a packet arrives from that IP Address. The score decays exponentially at the burst rate and is bumped by 1.0/burst when a packet arrives.
average
average-
Specify the allowed average rate for response packets in packets per second. The default is 1.0
burst
burst-
Specify the allowed burst size if the bursts are far enough apart to keep the average rate below average. The default is 20.0
kod
kod-
Specify the allowed average rate for KoD packets in packets per second. The default is 0.5
restrict
address[/cidr] [mask
mask] [flag
…
]-
The address argument expressed in dotted-quad (for IPv4) or :-delimited (for IPv6) form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. Instead of an explicit mask, the address/cidr may be specified in CIDR notation. A default entry (address
0.0.0.0
, mask0.0.0.0
) is always included and is always the first entry in the list. Note that text string default, with no mask option, may be used to indicate the default entry. In the current implementation, flag always restricts access, i.e., an entry with no flags indicates that free access to the server is to be given. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags can generally be classed into two categories, those which restrict time service and those which restrict informational queries and attempts to do a run-time reconfiguration of the server. One or more of the following flags may be specified:flake
-
Discard received NTP packets with probability 0.1; that is, on average drop one packet in ten. This flag is for testing and amusement. The name comes from Bob Braden’s flakeway, which once did a similar thing for early Internet testing.
ignore
-
Deny packets of all kinds, including ntpq(1) queries.
kod
-
If this flag is set when an access violation occurs, a kiss-o'-death (KoD) packet is sent. KoD packets are rate limited.
limited
-
Deny service if the packet spacing violates the lower limits specified in the limit command. A history of clients is kept using the monitoring capability of ntpd(8). Thus, monitoring is always active as long as there is a restriction entry with the limited flag.
mssntp
-
Enable Microsoft Windows MS-SNTP authentication using Active Directory services. Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated server with no clients other than MS-SNTP.
nomodify
-
Deny ntpq(1) queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted.
nomrulist
-
Do not accept MRU-list requests. These can be expensive to service and may generate a high volume of response traffic.
nopeer
-
Ignored. Was previously used to deny packets which would result in mobilizing a new association; this included symmetric active packets when a configured association did not exist. That used to happen when the remote client used the
peer
command in its config file. We don’t support that mode. It used to include pool servers, but they now poke a hole in any restrictions. noquery
-
Deny ntpq(1) queries. Time service is not affected.
noserve
-
Deny all packets except ntpq(1) queries. NB: This blocks requests from other clients and responses to your requests. If you are using servers in this IP range, you will need to add
restrict
slots to let them through. notrust
-
Deny service unless the packet is cryptographically authenticated.
ntpport
-
This is a match algorithm modifier, rather than a restriction flag. Its presence causes the restriction entry to be matched if the source port in the packet is the standard NTP UDP port (123). Both
ntpport
andnon-ntpport
may be specified. Thentpport
is considered more specific and is sorted later in the list. version
-
Deny packets that do not match the current NTP version.
Note: A second restrict line with the same address/mask does not replace the first one. The flags are merged. Thus:
restrict bob X restrict bob Y
is the same as
restrict bob X Y
Default restriction list entries with the flags ignore, interface,
ntpport, for each of the local host’s interface addresses are inserted
into the table at startup to prevent the server from attempting to
synchronize to its own time. A default entry is also always present.
It has noquery
to avoid packet length amplification which can
be used for DDoS with a forged return address and limited
to
avoid DDoS reflections.
unrestrict
address[/cidr] [mask
mask] [flag
…
]-
Like a
restrict
command, but turns off the specified flags rather than turning them on (expected to be useful mainly with ntpq :config). An unrestrict with no flags specified removes any rule with matching address and mask. Use only on an address/mask or CIDR-format address mentioned in a previousrestrict
statement.
Note: unrestrict default
will not do anything;
you can’t remove the builtin defaults.
If you want to remove them, use unrestrict default noquery limited
to turn off those flags.