access.adoc 4.12 KB
Newer Older
James Browning's avatar
James Browning committed
1
= Access Control Support
2
include::html.include[]
3 4 5 6

[cols="10%,90%",frame="none",grid="none",style="verse"]
|==============================
|image:pic/pogo6.gif[]|
7
{millshome}pictures.html[from 'Pogo', Walt Kelly]
8 9 10 11 12

The skunk watches for intruders and sprays.

|==============================

James Browning's avatar
James Browning committed
13
== Related Links
14

15 16
include::includes/hand.adoc[]
include::includes/accopt.adoc[]
17 18 19

'''''

James Browning's avatar
James Browning committed
20
== Access Control Support
21

22
The +ntpd+ daemon implements a general purpose access control list (ACL)
23 24 25 26 27 28 29
containing address/match entries sorted first by increasing address
values and then by increasing mask values. A match occurs when the
bitwise AND of the mask and the packet source address is equal to the
bitwise AND of the mask and address in the list. The list is searched in
order with the last match found defining the restriction flags
associated with the entry.

30
The ACL is specified as a list of +restrict+ commands in the following
31
formats:
32

33
+restrict address[/cidr] [mask mask] [flag][...]+
34

Sanjeev Gupta's avatar
Sanjeev Gupta committed
35 36
The +address+ argument expressed in dotted-quad (for IPv4) or
:-delimited (for IPv6) form is the address of a
37 38 39
host or network. Alternatively, the +address+ argument can be a valid
host DNS name. The +mask+ argument expressed in IPv4 or IPv6 numeric
address form defaults to all mask bits on, meaning that the +address+ is
40 41 42 43 44 45 46 47 48 49
treated as the address of an individual host.  Instead of an explicit
+mask+ the +address/cidr+ may be specified in CIDR notation.

A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4; and
address :: mask :: for IPv6) is always the first entry in the list.
+restrict default+, with no mask option, modifies both IPv4 and IPv6
default entries. +restrict source+ configures a template restriction
automatically added at runtime for each association, whether configured,
ephemeral, or preemptable, and removed when the association is
demobilized.
50 51

Some flags have the effect to deny service, some have the effect to
Matt Selsky's avatar
Matt Selsky committed
52
enable service and some are conditioned by other flags. The flags are
53 54 55 56 57 58 59 60 61 62 63 64
not orthogonal, in that more restrictive flags will often make less
restrictive ones redundant. The flags that deny service are classed in
two categories, those that restrict time service and those that restrict
informational queries and attempts to do run-time reconfiguration of the
server.

An example may clarify how it works. Our campus has two class-B
networks, 128.4 for the ECE and CIS departments and 128.175 for the rest
of campus. Let's assume (not true!) that subnet 128.4.1 homes critical
services like class rosters and spread sheets. A suitable ACL might look
like this:

65
------------------------------------------------------------------------------
66 67 68 69
restrict default nopeer                 # deny new associations
restrict 128.175.0.0 mask 255.255.0.0       # allow campus access
restrict 128.4.1.0 mask 255.255.255.0 notrust # require authentication on subnet 1
restrict time.nist.gov                      # allow access
70 71 72 73 74 75 76 77 78 79 80
------------------------------------------------------------------------------

Note that by design the 'restrict' declaration can only add
restrictions to an IP range that has already been the subject of a
previous restriction, not remove them.

If the behavior of multiple restricts with identical or overlapping
ranges seems confusing, bear in mind that each restrict creates an
internal table entry associated with its subject IP range, and the table
entries are checked in sequence when the flags applying to a
particular IP need to be computed.
81 82 83 84 85 86 87

While this facility may be useful for keeping unwanted, broken or
malicious clients from congesting innocent servers, it should not be
considered an alternative to the NTP authentication facilities. Source
address based restrictions are easily circumvented by a determined
cracker.

88
Default restriction list entries with the flags +ignore, ntpport+, for
89 90 91 92 93 94 95 96
each of the local host's interface addresses are inserted into the table
at startup to prevent the server from attempting to synchronize to its
own time. A default entry is also always present, though if it is
otherwise unconfigured; no flags are associated with the default entry
(i.e., everything besides your own NTP server is unrestricted).

'''''

97
include::includes/footer.adoc[]