summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2009-05-22 08:08:03 -0700
committerStephen Hemminger <stephen.hemminger@vyatta.com>2009-05-22 08:10:24 -0700
commit5f836abba30318aa8088037744ed3e2398a39b6c (patch)
tree781338326ef90e2da97200d3dbcae18ce3e21730
parentebde000ac4acd10e0819029873db642719677843 (diff)
downloadvyatta-cfg-system-5f836abba30318aa8088037744ed3e2398a39b6c.tar.gz
vyatta-cfg-system-5f836abba30318aa8088037744ed3e2398a39b6c.zip
Add NTP configuration file
There are options (like restrict) that should be ntp.conf This would reduce security exposure of the router (see recent CVE). Also, this avoid restarting ntp server on boot when using the default vyatta ntp server.
-rw-r--r--Makefile.am1
-rw-r--r--sysconf/ntp.conf37
2 files changed, 38 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index 8fbce753..5152fb71 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -53,6 +53,7 @@ sysconf_DATA += sysconf/LICENSE
sysconf_DATA += sysconf/logrotate_messages
sysconf_DATA += sysconf/motd.tail
sysconf_DATA += sysconf/syslog.conf
+sysconf_DATA += sysconf/ntp.conf
sysconf_DATA += sysconf/default_ssh
sysconf_DATA += sysconf/vyatta-sysctl.conf
sysconf_DATA += sysconf/blacklist.DSA-1024
diff --git a/sysconf/ntp.conf b/sysconf/ntp.conf
new file mode 100644
index 00000000..86ee86c1
--- /dev/null
+++ b/sysconf/ntp.conf
@@ -0,0 +1,37 @@
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
+
+driftfile /var/lib/ntp/ntp.drift
+
+# You do need to talk to an NTP server or two (or three).
+server 0.vyatta.pool.ntp.org
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
+
+# If you want to provide time to your local subnet, change the next line.
+# (Again, the address is an example only.)
+#broadcast 192.168.123.255
+
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines. Please do this only if you trust everybody on the network!
+#disable auth
+#broadcastclient
+