Date: Wed, 18 Oct 2006 06:51:39 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Chuck Swiger <cswiger@mac.com> Cc: Zbigniew Szalbot <zbyszek@szalbot.homedns.org>, freebsd-questions@freebsd.org Subject: Re: ntpd not adjusting the clock? Message-ID: <4535C0EB.8000700@infracaninophile.co.uk> In-Reply-To: <F5EF37C8-7955-4246-932E-833A537A4009@mac.com> References: <20061018000853.O49453@192.168.11.51> <F5EF37C8-7955-4246-932E-833A537A4009@mac.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
Chuck Swiger wrote:
> On Oct 17, 2006, at 3:13 PM, Zbigniew Szalbot wrote:
>> My ntp.conf file looks like that:
>>
>> server 2.pl.pool.ntp.org prefer
>> server 1.europe.pool.ntp.org
>> server 0.europe.pool.ntp.org
>> restrict default ignore
>> driftfile /var/db/ntp.drift
>
> Unless you've got additional restrict lines which permit some hosts to
> make changes, using only "restrict default ignore" will prevent ntpd
> from paying attention to the timeservers you've listed and it will even
> prevent ntpd from changing the local clock or being administered via
> ntpq from localhost.
>
> This misconfiguration will also cause your ntpd to generate excessive
> numbers of queries, rather than syncing up and reducing the NTP polling
> interval from minpoll to maxpoll. [1]
>
> Remove that line and restart ntpd.
That means that anyone can connect to your NTP daemon and poll it for time
service or use ntpdc to muck around with your configuration. It's better
to use at minimum:
restrict default nopeer nomodify
restrict localhost
(the 'restrict localhost' line actually removes all limitations on access
from localhost. Ain't ntp.conf syntax wonderful.)
Ideally, you'ld be able to use 'restrict default ignore' then apply
restrict 2.pl.pool.ntp.org nopeer nomodify
server 2.pl.pool.ntp.org prefer
for each server you configure. That works well if you specify individual
servers by name. Unfortunately the way NTP pool mechanism works makes that
approach unworkable.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFNcDw8Mjk52CukIwRCHiPAJ9YxiEXr0MHWibOqjvIj5gMUm2w9gCgg7Rg
XGWPFrjF7uFI3s5VoXxOFA4=
=gsWp
-----END PGP SIGNATURE-----
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4535C0EB.8000700>