1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
4 <meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
5 <meta name="generator" content="HTML Tidy, see www.w3.org">
6 <title>Access Control Commands and Options</title> <!-- Changed by: Harlan
8 <link href="scripts/style.css" type="text/css" rel="stylesheet">
9 <style type="text/css">
12 color: #FF0000; font-weight: bold; } -->
16 <h3>Access Control Commands and Options</h3>
17 <img src="pic/pogo6.gif" alt="gif"
18 align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>,
20 <p>The skunk watches for intruders and sprays.</p>
21 <p>Last update: <!-- #BeginDate format:En2m -->7-Jan-2018 23:56<!-- #EndDate
24 <h4>Related Links</h4>
25 <script type="text/javascript" language="javascript"
26 src="scripts/command.txt"></script>
27 <script type="text/javascript" language="javascript"
28 src="scripts/accopt.txt"></script>
30 <h4>Commands and Options</h4>
31 <p>Unless noted otherwise, further information about these ccommands is on
32 the <a href="accopt.html">Access Control Support</a> page.</p>
34 <dt id="discard"><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ]
35 [ monitor <i>prob</i> ]</tt></dt>
36 <dd>Set the parameters of the rate control facility which protects the
37 server from client abuse. If the <tt>limited</tt> flag is present in the
38 ACL, packets that violate these limits are discarded. If, in addition,
39 the <tt>kod</tt> flag is present, a kiss-o'-death packet is
40 returned. See the <a href="rate.html">Rate Management</a> page for
41 further information. The options are:
43 <dt><tt>average <i>avg</i></tt></dt>
44 <dd>Specify the minimum average interpacket spacing (minimum average
45 headway time) in log<sub>2</sub> s with default 3.</dd>
46 <dt><tt>minimum <i>min</i></tt></dt>
47 <dd>Specify the minimum interpacket spacing (guard time) in seconds
49 <dt><tt>monitor</tt></dt>
50 <dd>Specify the probability of being recorded for packets that
51 overflow the MRU list size limit set by <tt>mru maxmem</tt>
52 or <tt>mru maxdepth</tt>. This is a performance optimization for
53 servers with aggregate arrivals of 1000 packets per second or
57 <dt id="restrict"><tt>restrict [-4 | -6] default [ippeerlimit <i>num</i>]
58 [<i>flag</i>][...]</tt></dt>
59 <dt><tt>restrict source [ippeerlimit <i>num</i>]
60 [<i>flag</i>][...]</tt></dt>
61 <dt><tt>restrict <i>address</i> [mask <i>mask</i>]
62 [ippeerlimit <i>num</i>] [<i>flag</i>][...]</tt></dt>
63 <dd>The <tt><i>address</i></tt> argument expressed in IPv4 or IPv6 numeric
64 address form is the address of a host or network. Alternatively,
65 the <tt><i>address</i></tt> argument can be a valid host DNS
66 name. The <tt><i>mask</i></tt> argument expressed in IPv4 or IPv6
67 numeric address form defaults to all mask bits on, meaning that
68 the <tt><i>address</i></tt> is treated as the address of an individual
69 host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and
70 address :: mask :: for IPv6) is always the first entry in the
71 list. <tt>restrict default</tt>, with no mask option, modifies both IPv4
72 and IPv6 default entries. <tt>restrict source</tt> configures a template
73 restriction automatically added at runtime for each association, whether
74 configured, ephemeral, or preemptible, and removed when the association
76 <dd>The optional <tt>ippeerlimit</tt> takes a numeric argument that
77 indicates how many incoming (at present) peer requests will be permitted
78 for each IP, regardless of whether or not the request comes from an
79 authenticated source. A value of -1 means "unlimited", which is the
80 current default. A value of 0 means "none". Ordinarily one would
81 expect at most 1 of these sessions to exist per IP, however if the
82 remote side is operating thru a proxy there would be one association for
83 each remote peer at that IP.</dd>
84 <dd>Some flags have the effect to deny service, some have the effect to
85 enable service and some are conditioned by other flags. The flags are
86 not orthogonal, in that more restrictive flags will often make less
87 restrictive ones redundant. The flags that deny service are classed in
88 two categories, those that restrict time service and those that restrict
89 informational queries and attempts to do run-time reconfiguration of the
90 server. One or more of the following flags may be specified:</dd>
93 <dt><tt>flake</tt></dt>
94 <dd>Discard received NTP packets with probability 0.1; that is, on
95 average drop one packet in ten. This is for testing and
96 amusement. The name comes from Bob Braden's <i>flakeway</i>, which
97 once did a similar thing for early Internet testing.</dd>
98 <dt><tt>ignore</tt></dt>
99 <dd>Deny packets of all kinds, including <tt>ntpq</tt>
100 and <tt>ntpdc</tt> queries.</dd>
101 <dt><tt>kod</tt></dt>
102 <dd>Send a kiss-o'-death (KoD) packet if the <tt>limited</tt> flag is
103 present and a packet violates the rate limits established by
104 the <tt>discard</tt> command. KoD packets are themselves rate
105 limited for each source address separately. If the <tt>kod</tt> flag
106 is used in a restriction which does not have the <tt>limited</tt>
107 flag, no KoD responses will result.</dd>
108 <dt id="limited"><tt>limited</tt></dt>
109 <dd>Deny time service if the packet violates the rate limits
110 established by the <tt>discard</tt> command. This does not apply
111 to <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd>
112 <dt><tt>lowpriotrap</tt></dt>
113 <dd>Declare traps set by matching hosts to be low priority. The number
114 of traps a server can maintain is limited (the current limit is
115 3). Traps are usually assigned on a first come, first served basis,
116 with later trap requestors being denied service. This flag modifies
117 the assignment algorithm by allowing low priority traps to be
118 overridden by later requests for normal priority traps.</dd>
119 <dt><tt>mssntp</tt></dt>
120 <dd>Enable Microsoft Windows MS-SNTP authentication using Active
121 Directory services. <span class="style1"><b>Note: Potential users
122 should be aware that these services involve a TCP connection to
123 another process that could potentially block, denying services to
124 other users. Therefore, this flag should be used only for a
125 dedicated server with no clients other than MS-SNTP.</b></span></dd>
126 <dt><tt>noepeer</tt></dt>
127 <dd>Deny packets that would mobilize an ephemeral peering association,
128 even if authenticated.</dd>
129 <dt><tt>nomodify</tt></dt>
130 <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries which attempt to
131 modify the state of the server (i.e., run time
132 reconfiguration). Queries which return information are
134 <dt><tt>noquery</tt></dt>
135 <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries. Time service is not
137 <dt><tt>nopeer</tt></dt>
138 <dd>Deny packets that might mobilize an association unless
139 authenticated. This includes broadcast, symmetric-active and
140 manycast server packets when a configured association does not
141 exist. It also includes <tt>pool</tt> associations, so if you want
142 to use servers from a <tt>pool</tt> directive and also want to
143 use <tt>nopeer</tt> by default, you'll want a <tt>"restrict source
144 ..."</tt> line as well that does <i>not</i> include
145 the <tt>nopeer</tt> directive. Note that this flag does not apply
146 to packets that do not attempt to mobilize an association. </dd>
147 <dt><tt>noserve</tt></dt>
148 <dd>Deny all packets except <tt>ntpq</tt> and <tt>ntpdc</tt>
150 <dt><tt>notrap</tt></dt>
151 <dd>Decline to provide mode 6 control message trap service to matching
152 hosts. The trap service is a subsystem of the <tt>ntpdc</tt> control
153 message protocol which is intended for use by remote event logging
155 <dt><tt>notrust</tt></dt>
156 <dd>Deny packets that are not cryptographically authenticated. Note
157 carefully how this flag interacts with the <tt>auth</tt> option of
158 the <tt>enable</tt> and <tt>disable</tt> commands. If <tt>auth</tt>
159 is enabled, which is the default, authentication is required for all
160 packets that might mobilize an association. If <tt>auth</tt> is
161 disabled, but the <tt>notrust</tt> flag is not present, an
162 association can be mobilized whether or not
163 authenticated. If <tt>auth</tt> is disabled, but
164 the <tt>notrust</tt> flag is present, authentication is required
165 only for the specified address/mask range. </dd>
166 <dt><tt>ntpport</tt></dt>
167 <dd>This is actually a match algorithm modifier, rather than a
168 restriction flag. Its presence causes the restriction entry to be
169 matched only if the source port in the packet is the standard NTP
170 UDP port (123). A restrict line containing <tt>ntpport</tt> is
171 considered more specific than one with the same address and mask,
172 but lacking <tt>ntpport</tt>.</dd>
173 <dt><tt>serverresponse fuzz</tt></dt>
174 <dd>When reponding to server requests, fuzz the low order bits of
175 the <tt>reftime</tt>.</dd>
176 <dt><tt>version</tt></dt>
177 <dd>Deny packets that do not match the current NTP version.</dd>
180 <dd>Default restriction list entries with the flags <tt>ignore,
181 ntpport</tt>, for each of the local host's interface addresses are
182 inserted into the table at startup to prevent the server from
183 attempting to synchronize to its own time. A default entry is also
184 always present, though if it is otherwise unconfigured; no flags are
185 associated with the default entry (i.e., everything besides your own
186 NTP server is unrestricted).</dd>
189 <script type="text/javascript" language="javascript"
190 src="scripts/footer.txt"></script>