Improve documentations regarding accept/deny lists

pendulum-project · Sep 12, 2024 · 2639253 · 2639253
1 parent 121479e
commit 2639253
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 7 deletions.
diff --git a/docs/guide/migrating-chrony.md b/docs/guide/migrating-chrony.md
@@ -116,7 +116,7 @@ filter = [
 action = "deny"
 ```
 
-The allow and deny list configuration is optional in ntpd-rs. By default, a server accepts traffic from anywhere. When configuring both allow and deny lists, ntpd-rs will first check if a remote is on the deny list. Only if this is not the case will the allow list be considered. This ordering needs to be taken into account when translating interleaved combinations of chrony's `allow` and `deny` commands.
+The allow and deny list configurations are both optional in ntpd-rs. By default, a server accepts traffic from anywhere. When configuring both allow and deny lists, ntpd-rs will first check if a remote is on the deny list. Only if this is not the case will the allow list be considered. This ordering needs to be taken into account when translating interleaved combinations of chrony's `allow` and `deny` commands.
 
 NTS can be enabled for a server by configuring an NTS key exchange server:
 ```toml

diff --git a/docs/guide/migrating-ntpd.md b/docs/guide/migrating-ntpd.md
@@ -96,7 +96,7 @@ filter = [
 action = "deny"
 ```
 
-The allow and deny list configuration is optional in ntpd-rs. By default, if a server is configured it will accept traffic from anywhere. When configuring both allow and deny lists, ntpd-rs will first check if a remote is on the deny list. Only if this is not the case will the allow list be considered.
+The allow and deny list configurations are both optional in ntpd-rs. By default, if a server is configured it will accept traffic from anywhere. When configuring both allow and deny lists, ntpd-rs will first check if a remote is on the deny list. Only if this is not the case will the allow list be considered.
 
 The `allowlist.action` and `denylist.action` properties can have two values:
 

diff --git a/docs/guide/migrating-ntpsec.md b/docs/guide/migrating-ntpsec.md
@@ -117,7 +117,7 @@ filter = [
 action = "deny"
 ```
 
-The allow and deny list configuration is optional in ntpd-rs. By default, if a server is configured it will accept traffic from anywhere. When configuring both allow and deny lists, ntpd-rs will first check if a remote is on the deny list. Only if this is not the case will the allow list be considered.
+The allow and deny list configurations are both optional in ntpd-rs. By default, if a server is configured it will accept traffic from anywhere. When configuring both allow and deny lists, ntpd-rs will first check if a remote is on the deny list. Only if this is not the case will the allow list be considered.
 
 The `allowlist.action` and `denylist.action` properties can have two values:
 

diff --git a/docs/guide/server-setup.md b/docs/guide/server-setup.md
@@ -20,7 +20,7 @@ address = "<your server ip>:123"
 ```
 
 ## Limiting access
-If you only want specific ip addresses to be able to access the server, you can
+If you only want specific IP addresses to be able to access the server, you can
 configure a list of allowed clients through the allowlist mechanism. For this,
 edit the server configuration to look like:
 ```toml
@@ -30,9 +30,35 @@ listen = "0.0.0.0:123"
 filter = ["<allowed ipv4 1>/32", "<allowed ipv4 2>/32", "<allowed ipv6 1>/128"]
 action = "ignore"
 ```
-When configured this way, your server will only respond to the listed ip
-addresses. You can allow entire subnets at a time by specifying the size of the
-subnet instead of 32 or 128 after the slash.
+When configured this way, your server will only respond to the listed IP
+addresses. The IP addresses are written in CIDR notation, which means you can
+allow entire subnets at a time by specifying the size of the subnet instead of
+the 32 or 128 after the slash. For example, `192.168.1.1/24` will allow any IP
+address of the form `192.168.1.*`.
+
+If you want to block certain IP addresses from accessing the server, you can
+configure a list of blocked clients as follows:
+```toml
+[[server]]
+listen = "0.0.0.0:123"
+[server.denylist]
+filter = ["<blocked ipv4 1>/32", "<blocked ipv4 2>/32", "<blocked ipv6 1>/128"]
+action = "deny"
+```
+The deny list uses the same CIDR notion as the allow list, and can also be used
+to block subnets. Connections from IP addresses contained in the deny list will
+always be blocked, even if they also happen to be in the allow list.
+
+The allow and deny list configurations are both optional in ntpd-rs. By
+default, if a server is configured it will accept traffic from anywhere. When
+configuring both allow and deny lists, ntpd-rs will first check if a remote is
+on the deny list. Only if this is not the case will the allow list be
+considered.
+
+The `allowlist.action` and `denylist.action` properties can have two values:
+
+- `ignore` silently ignores the request
+- `deny` sends a deny kiss-o'-death packet
 
 ## Adding your server to the NTP pool
 

diff --git a/docs/includes/glossary.md b/docs/includes/glossary.md
@@ -7,3 +7,4 @@
 *[CA]: Certificate Authority
 *[OS]: Operating System
 *[DNS]: Domain Name System
+*[CIDR]: Classless Inter-Domain Routing