ntp.conf.def (289764) | ntp.conf.def (294554) |
---|---|
1/* -*- Mode: Text -*- */ 2 3autogen definitions options; 4 5#include copyright.def 6 7// We want the synopsis to be "/etc/ntp.conf" but we need the prog-name 8// to be ntp.conf - the latter is also how autogen produces the output --- 2381 unchanged lines hidden (view full) --- 2390otherwise, should be avoided. 2391.It Ic dscp Ar value 2392This option specifies the Differentiated Services Control Point (DSCP) value, 2393a 6-bit code. The default value is 46, signifying Expedited Forwarding. 2394.It Xo Ic enable 2395.Oo 2396.Cm auth | Cm bclient | 2397.Cm calibrate | Cm kernel | | 1/* -*- Mode: Text -*- */ 2 3autogen definitions options; 4 5#include copyright.def 6 7// We want the synopsis to be "/etc/ntp.conf" but we need the prog-name 8// to be ntp.conf - the latter is also how autogen produces the output --- 2381 unchanged lines hidden (view full) --- 2390otherwise, should be avoided. 2391.It Ic dscp Ar value 2392This option specifies the Differentiated Services Control Point (DSCP) value, 2393a 6-bit code. The default value is 46, signifying Expedited Forwarding. 2394.It Xo Ic enable 2395.Oo 2396.Cm auth | Cm bclient | 2397.Cm calibrate | Cm kernel | |
2398.Cm mode7 | monitor | 2399.Cm ntp | Cm stats | 2398.Cm mode7 | Cm monitor | 2399.Cm ntp | Cm stats | 2400.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early |
2400.Oc 2401.Xc 2402.It Xo Ic disable 2403.Oo 2404.Cm auth | Cm bclient | 2405.Cm calibrate | Cm kernel | | 2401.Oc 2402.Xc 2403.It Xo Ic disable 2404.Oo 2405.Cm auth | Cm bclient | 2406.Cm calibrate | Cm kernel | |
2406.Cm mode7 | monitor | 2407.Cm ntp | Cm stats | 2407.Cm mode7 | Cm monitor | 2408.Cm ntp | Cm stats | 2409.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early |
2408.Oc 2409.Xc 2410Provides a way to enable or disable various server options. 2411Flags not mentioned are unaffected. 2412Note that all of these flags 2413can be controlled remotely using the 2414.Xr ntpdc 1ntpdcmdoc 2415utility program. --- 57 unchanged lines hidden (view full) --- 2473.Ic enable . 2474.It Cm stats 2475Enables the statistics facility. 2476See the 2477.Sx Monitoring Options 2478section for further information. 2479The default for this flag is 2480.Ic disable . | 2410.Oc 2411.Xc 2412Provides a way to enable or disable various server options. 2413Flags not mentioned are unaffected. 2414Note that all of these flags 2415can be controlled remotely using the 2416.Xr ntpdc 1ntpdcmdoc 2417utility program. --- 57 unchanged lines hidden (view full) --- 2475.Ic enable . 2476.It Cm stats 2477Enables the statistics facility. 2478See the 2479.Sx Monitoring Options 2480section for further information. 2481The default for this flag is 2482.Ic disable . |
2483.It Cm unpeer_crypto_early 2484By default, if 2485.Xr ntpd 1ntpdmdoc 2486receives an autokey packet that fails TEST9, 2487a crypto failure, 2488the association is immediately cleared. 2489This is almost certainly a feature, 2490but if, in spite of the current recommendation of not using autokey, 2491you are 2492.B still 2493using autokey 2494.B and 2495you are seeing this sort of DoS attack 2496disabling this flag will delay 2497tearing down the association until the reachability counter 2498becomes zero. 2499You can check your 2500.Cm peerstats 2501file for evidence of any of these attacks. 2502The 2503default for this flag is 2504.Ic enable . 2505.It Cm unpeer_crypto_nak_early 2506By default, if 2507.Xr ntpd 1ntpdmdoc 2508receives a crypto-NAK packet that 2509passes the duplicate packet and origin timestamp checks 2510the association is immediately cleared. 2511While this is generally a feature 2512as it allows for quick recovery if a server key has changed, 2513a properly forged and appropriately delivered crypto-NAK packet 2514can be used in a DoS attack. 2515If you have active noticable problems with this type of DoS attack 2516then you should consider 2517disabling this option. 2518You can check your 2519.Cm peerstats 2520file for evidence of any of these attacks. 2521The 2522default for this flag is 2523.Ic enable . 2524.It Cm unpeer_digest_early 2525By default, if 2526.Xr ntpd 1ntpdmdoc 2527receives what should be an authenticated packet 2528that passes other packet sanity checks but 2529contains an invalid digest 2530the association is immediately cleared. 2531While this is generally a feature 2532as it allows for quick recovery, 2533if this type of packet is carefully forged and sent 2534during an appropriate window it can be used for a DoS attack. 2535If you have active noticable problems with this type of DoS attack 2536then you should consider 2537disabling this option. 2538You can check your 2539.Cm peerstats 2540file for evidence of any of these attacks. 2541The 2542default for this flag is 2543.Ic enable . |
|
2481.El 2482.It Ic includefile Ar includefile 2483This command allows additional configuration commands 2484to be included from a separate file. 2485Include files may 2486be nested to a depth of five; upon reaching the end of any 2487include file, command processing resumes in the previous 2488configuration file. --- 355 unchanged lines hidden --- | 2544.El 2545.It Ic includefile Ar includefile 2546This command allows additional configuration commands 2547to be included from a separate file. 2548Include files may 2549be nested to a depth of five; upon reaching the end of any 2550include file, command processing resumes in the previous 2551configuration file. --- 355 unchanged lines hidden --- |