freebsd-src/usr.sbin/xntpd/conf/ntp.conf.nsf
1993-12-21 18:36:48 +00:00

157 lines
5.0 KiB
Plaintext

#
# Maybe an alternate xntpd configuration for NSS#17
#
#
# precision is supported, but you don't really need it. The code
# will determine a precision from the kernel's value of _hz which
# is fine. Note you shouldn't claim too good a precision on a
# Unix machine even if the clock carries a lot of bits, since
# precision also depends on things like I/O delays and scheduling
# latencies, which Unix machines control poorly. If you claim better
# than -6 or -7 it will make the anti-hop aperture tighter than is
# reasonable for a Unix machine.
#
#precision -7
#
# peers are ncarfuzz.ucar.edu umd1.umd.edu dcn5.udel.edu fuzz.sdsc.edu
# syntax is peer addr [ key 1-15 ] [ version 1_or_2 ]
#
peer 128.116.64.3 # ncarfuzz.ucar.edu
peer 128.8.10.1 # umd1.umd.edu
peer 128.4.0.5 # dcn5.udel.edu
peer 192.12.207.1 # fuzz.sdsc.edu
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
# This is a nice feature. Once you've got the drift computed it hardly
# ever takes more than an hour or so to resync after a restart.
#
driftfile /etc/ntp.drift
#
# The server statement causes polling to be done in client mode rather
# than symmetric active. It is an alternative to the peer command
# above. Which you use depends on what you want to achieve. Usually
# it doesn't matter. Syntax is:
#
#server 128.100.49.1 key 4 version 1
#
# The broadcast statement tells it to start broadcasting time out one
# of its interfaces. Syntax is
#
#broadcast 128.100.49.255 # [ key n ] [ version n ]
#
# broadcastclient tells the daemon whether it should attempt to sync
# to broadcasts or not. Defaults to `no'.
#
#broadcastclient yes # or no
#
# broadcastdelay configures in a default round-trip delay to use for
# broadcast time. It may poll to improve this estimate.
#
#broadcastdelay 0.0095 # in seconds
#
# authenticate configures us into strict authentication mode (or not).
#
#authenticate yes # or no. Default is no
#
# authdelay is the time it takes to do an NTP encryption on this host.
# The current routine is pretty fast.
#
#authdelay 0.000340 # in seconds
#
# trustedkey are used when authenticate is on. We only trust (and sync to)
# peers who know these keys.
#
#trustedkey 1 3 4 8
#
# monitor turns on the monitoring facility. See xntpdc's monlist command.
# This shows a lot of neat stuff, but I'm not fussy about the implementation.
# Uses up to 20Kb of memory at run time. You could try this.
#
#monitor yes # or no. Default is no
#
# keys points at the file which holds the authentication keys.
#
#keys /etc/ntp.keys
#
# requestkey indicates which key is to be used for validating
# runtime reconfiguration requests. If this isn't defined, or the
# key isn't in the keys file, you can't do runtime reconfiguration.
# controlkey indicates which key is to be used for validating
# mode 6 write variables commands. If this isn't defined you can't
# do it. The only thing the latter is used for is to set leap second
# warnings on machines with radio clocks.
#
#requestkey 65535
#controlkey 65534
#
# restrict places restrictions on the punters. This is implemented as
# a sorted address-and-mask list, with each entry including a set of
# flags which define what a host matching the entry *can't* do (the sort
# also saves CPU time searching the table since it needn't be searched
# to the end). The last match in the table defines what the host does.
# The default entry, which everyone matches, is first, most specific
# matches are later in the table. The flags are:
#
# ignore - ignore all traffic from host
# noserve - don't give host any time (but let him make queries?)
# notrust - give host time, let him make queries, but don't sync to him
# noquery - host can have time, but not make queries
# nomodify - allow the host to make queries except those which are
# actually run-time configuration commands.
# notrap - don't allow matching hosts to set traps. If noquery is
# set this isn't needed
# lowpriotrap - if this guy sets a trap make it easy to delete
# ntpport - a different kind of flag. Makes matches for this entry
# possible only if the source port is 123.
#
# To understand this better, take a look at xntpdc's reslist command when the
# server is running. This usually prints in the sorted order.
#
# This should match the NSS 17 stuff. Default mask is all ones.
restrict default ignore # ignore almost everyone
#
# These guys can be served time and make non-modifying queries
#
restrict 129.140.0.0 mask 255.255.0.0 notrust nomodify
restrict 35.1.1.42 notrust nomodify
#
# Rest of 35.1.1 gets to look but not touch
#
restrict 35.1.1.0 mask 255.255.255.0 noserve nomodify
#
# modifications can be made from local NSS only
#
restrict 129.140.17.0 mask 255.255.255.0 notrust
restrict 127.0.0.1 notrust
#
# take time from the following peers, but don't let them peek or modify
#
restrict 128.116.64.3 noquery
restrict 128.8.10.1 noquery
restrict 128.4.0.5 noquery
restrict 192.12.207.1 noquery