From owner-freebsd-questions@FreeBSD.ORG  Wed Oct 18 05:52:15 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 75CD416A403
	for <freebsd-questions@freebsd.org>;
	Wed, 18 Oct 2006 05:52:15 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk
	[81.187.76.162])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 27A9643D5D
	for <freebsd-questions@freebsd.org>;
	Wed, 18 Oct 2006 05:52:11 +0000 (GMT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from [IPv6:::1] (localhost [IPv6:::1])
	by smtp.infracaninophile.co.uk (8.13.8/8.13.8) with ESMTP id
	k9I5pjXD090085; Wed, 18 Oct 2006 06:51:45 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
Authentication-Results: smtp.infracaninophile.co.uk
	from=m.seaman@infracaninophile.co.uk; sender-id=softfail;
	spf=softfail
X-SenderID: Sendmail Sender-ID Filter v0.2.14 smtp.infracaninophile.co.uk
	k9I5pjXD090085
Message-ID: <4535C0EB.8000700@infracaninophile.co.uk>
Date: Wed, 18 Oct 2006 06:51:39 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Organization: Infracaninophile
User-Agent: Thunderbird 1.5.0.7 (X11/20061015)
MIME-Version: 1.0
To: Chuck Swiger <cswiger@mac.com>
References: <20061018000853.O49453@192.168.11.51>
	<F5EF37C8-7955-4246-932E-833A537A4009@mac.com>
In-Reply-To: <F5EF37C8-7955-4246-932E-833A537A4009@mac.com>
X-Enigmail-Version: 0.94.0.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="------------enig3B84A5F9DC40F41B503F9935"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2
	(smtp.infracaninophile.co.uk [IPv6:::1]);
	Wed, 18 Oct 2006 06:52:05 +0100 (BST)
X-Virus-Scanned: ClamAV 0.88.4/2040/Tue Oct 17 18:34:55 2006 on
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, DKIM_POLICY_TESTING,
	NO_RELAYS autolearn=ham version=3.1.6
X-Spam-Checker-Version: SpamAssassin 3.1.6 (2006-10-03) on 
	happy-idiot-talk.infracaninophile.co.uk
Cc: Zbigniew Szalbot <zbyszek@szalbot.homedns.org>,
	freebsd-questions@freebsd.org
Subject: Re: ntpd not adjusting the clock?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Oct 2006 05:52:15 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig3B84A5F9DC40F41B503F9935
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Chuck Swiger wrote:
> On Oct 17, 2006, at 3:13 PM, Zbigniew Szalbot wrote:
>> My ntp.conf file looks like that:
>>
>> server 2.pl.pool.ntp.org prefer
>> server 1.europe.pool.ntp.org
>> server 0.europe.pool.ntp.org
>> restrict default ignore
>> driftfile /var/db/ntp.drift
>=20
> Unless you've got additional restrict lines which permit some hosts to
> make changes, using only "restrict default ignore" will prevent ntpd
> from paying attention to the timeservers you've listed and it will even=

> prevent ntpd from changing the local clock or being administered via
> ntpq from localhost.
>=20
> This misconfiguration will also cause your ntpd to generate excessive
> numbers of queries, rather than syncing up and reducing the NTP polling=

> interval from minpoll to maxpoll. [1]
>=20
> Remove that line and restart ntpd.

That means that anyone can connect to your NTP daemon and poll it for tim=
e
service or use ntpdc to muck around with your configuration.  It's better=

to use at minimum:

    restrict default nopeer nomodify
    restrict localhost

(the 'restrict localhost' line actually removes all limitations on access=

from localhost.  Ain't ntp.conf syntax wonderful.)

Ideally, you'ld be able to use 'restrict default ignore' then apply

   restrict 2.pl.pool.ntp.org nopeer nomodify=20
   server 2.pl.pool.ntp.org prefer

for each server you configure.  That works well if you specify individual=

servers by name.  Unfortunately the way NTP pool mechanism works makes th=
at =20
approach unworkable.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW


--------------enig3B84A5F9DC40F41B503F9935
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFNcDw8Mjk52CukIwRCHiPAJ9YxiEXr0MHWibOqjvIj5gMUm2w9gCgg7Rg
XGWPFrjF7uFI3s5VoXxOFA4=
=gsWp
-----END PGP SIGNATURE-----

--------------enig3B84A5F9DC40F41B503F9935--