[Git][NTPsec/ntpsec][master] 2 commits: Remove "nopeer" restrict option from config examples

Hal Murray (@hal.murray) gitlab at mg.gitlab.com
Sat May 25 22:52:42 UTC 2024 


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
250d5896 by Joachim Kross at 2024-05-25T22:49:18+00:00
Remove "nopeer" restrict option from config examples

The "nopeer" option to the restrict command is being ignored
since a while now. Remove it from various configuration
examples, update documentation to be more explicit about it.

- - - - -
72877f52 by Joachim Kross at 2024-05-25T22:49:18+00:00
Update ACL configuration example

- - - - -


7 changed files:

- docs/access.adoc
- docs/includes/access-commands.adoc
- docs/quick.adoc
- etc/ntp.d/use-no-remote-configuration
- ntpd/ntp_proto.c
- ntpd/ntp_restrict.c
- packaging/SUSE/ntp.conf


Changes:

=====================================
docs/access.adoc
=====================================
@@ -63,7 +63,7 @@ services like class rosters and spread sheets. A suitable ACL might look
 like this:
 
 ------------------------------------------------------------------------------
-restrict default nopeer                 # deny new associations
+restrict default nomodify                   # disallow reconfiguration
 restrict 128.175.0.0 mask 255.255.0.0       # allow campus access
 restrict 128.4.1.0 mask 255.255.255.0 notrust # require authentication on subnet 1
 restrict time.nist.gov                      # allow access


=====================================
docs/includes/access-commands.adoc
=====================================
@@ -69,9 +69,9 @@
     Do not accept MRU-list requests.  These can be expensive to
     service and may generate a high volume of response traffic.
   +nopeer+;;
-    Deny packets which would result in mobilizing a new association;
-    this includes symmetric active packets when a
-    configured association does not exist.  That used to happen
+    Ignored. Was previously used to deny packets which would result in
+    mobilizing a new association; this included symmetric active packets
+    when a configured association did not exist. That used to happen
     when the remote client used the +peer+ command in its config file.
     We don't support that mode.
     It used to include _pool_ servers, but they now poke a hole in any


=====================================
docs/quick.adoc
=====================================
@@ -106,7 +106,7 @@ need to exist, and be writable by the user under which +ntpd+ runs.
 Your security/access section will almost always look a lot like this:
 
 ------------------------------------------------------------------
-restrict default kod limited nomodify nopeer noquery
+restrict default kod limited nomodify noquery
 restrict 127.0.0.1
 restrict ::1
 ------------------------------------------------------------------


=====================================
etc/ntp.d/use-no-remote-configuration
=====================================
@@ -1,8 +1,8 @@
 # Exchange time with everybody, but don't allow configuration.
 # This is the right security setup for 99% of deployments.
 
-restrict default kod limited nomodify nopeer noquery
-restrict -6 default kod limited nomodify nopeer noquery
+restrict default kod limited nomodify noquery
+restrict -6 default kod limited nomodify noquery
 
 # Local users may interrogate the NTP server more closely.
 restrict 127.0.0.1


=====================================
ntpd/ntp_proto.c
=====================================
@@ -417,8 +417,9 @@ parse_packet(
    The 'peer' argument may be NULL to indicate that we have no current
    association.
 
-   In contrast to NTP classic, We don't enforce 'restrict nopeer'
-   against pool-mode responses.
+   In contrast to NTP classic, we ignore 'restrict nopeer'. It used
+   to apply to symmetric mode associations, which we don't support, and
+   to pool-mode associations, which now poke holes into any restrictions.
 
 */
 static bool


=====================================
ntpd/ntp_restrict.c
=====================================
@@ -132,7 +132,7 @@ init_restrict(void)
 	 * sorted by descending address followed by descending mask:
 	 *
 	 *   address	  mask
-	 * 192.168.0.0	255.255.255.0	kod limited noquery nopeer
+	 * 192.168.0.0	255.255.255.0	kod limited noquery
 	 * 192.168.0.0	255.255.0.0	kod limited
 	 * 0.0.0.0	0.0.0.0		kod limited noquery
 	 *


=====================================
packaging/SUSE/ntp.conf
=====================================
@@ -52,8 +52,8 @@
 # up blocking replies from your own upstream servers.
 
 # By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default nomodify nopeer noquery
-restrict -6 default nomodify nopeer noquery
+restrict -4 default nomodify noquery
+restrict -6 default nomodify noquery
 
 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/458cbbaf290854da39220a0a8dacf9fce4c67d56...72877f52c1442c5b108a465d4b415bdbf56c1d8f

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/458cbbaf290854da39220a0a8dacf9fce4c67d56...72877f52c1442c5b108a465d4b415bdbf56c1d8f
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20240525/59640c1d/attachment-0001.htm>

More information about the vc mailing list