1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 2<html> 3<head> 4<meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> 5<meta name="generator" content="HTML Tidy, see www.w3.org"> 6<title>Access Control Commands and Options</title> <!-- Changed by: Harlan 7&, 13-Nov-2014 --> 8<link href="scripts/style.css" type="text/css" rel="stylesheet"> 9<style type="text/css"> 10<!-- 11<style1 { 12color: #FF0000; font-weight: bold; } --> 13</style> 14</head> 15<body> 16<h3>Access Control Commands and Options</h3> 17<img src="pic/pogo6.gif" alt="gif" 18align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, 19Walt Kelly</a> 20<p>The skunk watches for intruders and sprays.</p> 21<p>Last update: <!-- #BeginDate format:En2m -->7-Jan-2018 23:56<!-- #EndDate 22 --> UTC</p> 23<br clear="left"> 24<h4>Related Links</h4> 25<script type="text/javascript" language="javascript" 26src="scripts/command.txt"></script> 27<script type="text/javascript" language="javascript" 28src="scripts/accopt.txt"></script> 29<hr> 30<h4>Commands and Options</h4> 31<p>Unless noted otherwise, further information about these ccommands is on 32the <a href="accopt.html">Access Control Support</a> page.</p> 33<dl> 34 <dt id="discard"><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ] 35 [ monitor <i>prob</i> ]</tt></dt> 36 <dd>Set the parameters of the rate control facility which protects the 37 server from client abuse. If the <tt>limited</tt> flag is present in the 38 ACL, packets that violate these limits are discarded. If, in addition, 39 the <tt>kod</tt> flag is present, a kiss-o'-death packet is 40 returned. See the <a href="rate.html">Rate Management</a> page for 41 further information. The options are: 42 <dl> 43 <dt><tt>average <i>avg</i></tt></dt> 44 <dd>Specify the minimum average interpacket spacing (minimum average 45 headway time) in log<sub>2</sub> s with default 3.</dd> 46 <dt><tt>minimum <i>min</i></tt></dt> 47 <dd>Specify the minimum interpacket spacing (guard time) in seconds 48 with default 2.</dd> 49 <dt><tt>monitor</tt></dt> 50 <dd>Specify the probability of being recorded for packets that 51 overflow the MRU list size limit set by <tt>mru maxmem</tt> 52 or <tt>mru maxdepth</tt>. This is a performance optimization for 53 servers with aggregate arrivals of 1000 packets per second or 54 more.</dd> 55 </dl> 56 </dd> 57 <dt id="restrict"><tt>restrict [-4 | -6] default [ippeerlimit <i>num</i>] 58 [<i>flag</i>][...]<br> restrict source [ippeerlimit <i>num</i>] 59 [<i>flag</i>][...]<br> restrict <i>address</i> [mask <i>mask</i>] 60 [ippeerlimit <i>num</i>] [<i>flag</i>][...]</tt></dt> 61 <dd>The <tt><i>address</i></tt> argument expressed in IPv4 or IPv6 numeric 62 address form is the address of a host or network. Alternatively, 63 the <tt><i>address</i></tt> argument can be a valid host DNS 64 name. The <tt><i>mask</i></tt> argument expressed in IPv4 or IPv6 65 numeric address form defaults to all mask bits on, meaning that 66 the <tt><i>address</i></tt> is treated as the address of an individual 67 host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and 68 address :: mask :: for IPv6) is always the first entry in the 69 list. <tt>restrict default</tt>, with no mask option, modifies both IPv4 70 and IPv6 default entries. <tt>restrict source</tt> configures a template 71 restriction automatically added at runtime for each association, whether 72 configured, ephemeral, or preemptible, and removed when the association 73 is demobilized.</dd> 74 <dd>The optional <tt>ippeerlimit</tt> takes a numeric argument that 75 indicates how many incoming (at present) peer requests will be permitted 76 for each IP, regardless of whether or not the request comes from an 77 authenticated source. A value of -1 means "unlimited", which is the 78 current default. A value of 0 means "none". Ordinarily one would 79 expect at most 1 of these sessions to exist per IP, however if the 80 remote side is operating thru a proxy there would be one association for 81 each remote peer at that IP.</dd> 82 <dd>Some flags have the effect to deny service, some have the effect to 83 enable service and some are conditioned by other flags. The flags are 84 not orthogonal, in that more restrictive flags will often make less 85 restrictive ones redundant. The flags that deny service are classed in 86 two categories, those that restrict time service and those that restrict 87 informational queries and attempts to do run-time reconfiguration of the 88 server. One or more of the following flags may be specified:</dd> 89 <dd> 90 <dl> 91 <dt><tt>flake</tt></dt> 92 <dd>Discard received NTP packets with probability 0.1; that is, on 93 average drop one packet in ten. This is for testing and 94 amusement. The name comes from Bob Braden's <i>flakeway</i>, which 95 once did a similar thing for early Internet testing.</dd> 96 <dt><tt>ignore</tt></dt> 97 <dd>Deny packets of all kinds, including <tt>ntpq</tt> 98 and <tt>ntpdc</tt> queries.</dd> 99 <dt><tt>kod</tt></dt> 100 <dd>Send a kiss-o'-death (KoD) packet if the <tt>limited</tt> flag is 101 present and a packet violates the rate limits established by 102 the <tt>discard</tt> command. KoD packets are themselves rate 103 limited for each source address separately. If the <tt>kod</tt> flag 104 is used in a restriction which does not have the <tt>limited</tt> 105 flag, no KoD responses will result.</dd> 106 <dt id="limited"><tt>limited</tt></dt> 107 <dd>Deny time service if the packet violates the rate limits 108 established by the <tt>discard</tt> command. This does not apply 109 to <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> 110 <dt><tt>lowpriotrap</tt></dt> 111 <dd>Declare traps set by matching hosts to be low priority. The number 112 of traps a server can maintain is limited (the current limit is 113 3). Traps are usually assigned on a first come, first served basis, 114 with later trap requestors being denied service. This flag modifies 115 the assignment algorithm by allowing low priority traps to be 116 overridden by later requests for normal priority traps.</dd> 117 <dt><tt>mssntp</tt></dt> 118 <dd>Enable Microsoft Windows MS-SNTP authentication using Active 119 Directory services. <span class="style1"><b>Note: Potential users 120 should be aware that these services involve a TCP connection to 121 another process that could potentially block, denying services to 122 other users. Therefore, this flag should be used only for a 123 dedicated server with no clients other than MS-SNTP.</b></span></dd> 124 <dt><tt>noepeer</tt></dt> 125 <dd>Deny packets that would mobilize an ephemeral peering association, 126 even if authenticated.</dd> 127 <dt><tt>nomodify</tt></dt> 128 <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries which attempt to 129 modify the state of the server (i.e., run time 130 reconfiguration). Queries which return information are 131 permitted.</dd> 132 <dt><tt>noquery</tt></dt> 133 <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries. Time service is not 134 affected.</dd> 135 <dt><tt>nopeer</tt></dt> 136 <dd>Deny packets that might mobilize an association unless 137 authenticated. This includes broadcast, symmetric-active and 138 manycast server packets when a configured association does not 139 exist. It also includes <tt>pool</tt> associations, so if you want 140 to use servers from a <tt>pool</tt> directive and also want to 141 use <tt>nopeer</tt> by default, you'll want a <tt>"restrict source 142 ..."</tt> line as well that does <i>not</i> include 143 the <tt>nopeer</tt> directive. Note that this flag does not apply 144 to packets that do not attempt to mobilize an association. </dd> 145 <dt><tt>noserve</tt></dt> 146 <dd>Deny all packets except <tt>ntpq</tt> and <tt>ntpdc</tt> 147 queries.</dd> 148 <dt><tt>notrap</tt></dt> 149 <dd>Decline to provide mode 6 control message trap service to matching 150 hosts. The trap service is a subsystem of the <tt>ntpdc</tt> control 151 message protocol which is intended for use by remote event logging 152 programs.</dd> 153 <dt><tt>notrust</tt></dt> 154 <dd>Deny packets that are not cryptographically authenticated. Note 155 carefully how this flag interacts with the <tt>auth</tt> option of 156 the <tt>enable</tt> and <tt>disable</tt> commands. If <tt>auth</tt> 157 is enabled, which is the default, authentication is required for all 158 packets that might mobilize an association. If <tt>auth</tt> is 159 disabled, but the <tt>notrust</tt> flag is not present, an 160 association can be mobilized whether or not 161 authenticated. If <tt>auth</tt> is disabled, but 162 the <tt>notrust</tt> flag is present, authentication is required 163 only for the specified address/mask range. </dd> 164 <dt><tt>ntpport</tt></dt> 165 <dd>This is actually a match algorithm modifier, rather than a 166 restriction flag. Its presence causes the restriction entry to be 167 matched only if the source port in the packet is the standard NTP 168 UDP port (123). A restrict line containing <tt>ntpport</tt> is 169 considered more specific than one with the same address and mask, 170 but lacking <tt>ntpport</tt>.</dd> 171 <dt><tt>version</tt></dt> 172 <dd>Deny packets that do not match the current NTP version.</dd> 173 </dl> 174 </dd> 175 <dd>Default restriction list entries with the flags <tt>ignore, 176 ntpport</tt>, for each of the local host's interface addresses are 177 inserted into the table at startup to prevent the server from 178 attempting to synchronize to its own time. A default entry is also 179 always present, though if it is otherwise unconfigured; no flags are 180 associated with the default entry (i.e., everything besides your own 181 NTP server is unrestricted).</dd> 182</dl> 183<hr> 184<script type="text/javascript" language="javascript" 185src="scripts/footer.txt"></script> 186</body> 187</html> 188
