From owner-freebsd-questions@freebsd.org Thu Oct 12 12:45:16 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 072B6E28AFD for ; Thu, 12 Oct 2017 12:45:16 +0000 (UTC) (envelope-from g8kbvdave@googlemail.com) Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8CD76758BB for ; Thu, 12 Oct 2017 12:45:15 +0000 (UTC) (envelope-from g8kbvdave@googlemail.com) Received: by mail-wm0-x236.google.com with SMTP id u138so12828423wmu.5 for ; Thu, 12 Oct 2017 05:45:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=b5KKzxy+laRnYdmfVohx/bGNIMlZD/PV28z7JisHTDg=; b=L4Z3LfJ1yTmvvYuKrxKREshl3X0GylKjkJA23CM/fm2OWbAppvQ122ToDSrGsVN9YF mtVOVYc0RmbQ9V5Rk0JsQ2YUeNYPkz1UmUvNYuLv6BdQzUT+k+CEgVXjpW7VeX7ntkoX 4+7HUXGUI7LSMXKG9duFbuwCFrIorvM3gHjoHG+6T/cZcvYgoSHc4ef6NPIGSqKSoaIV 7pBB6UcTTL2DrZGdWWAc9T/rQK9b3xkCBognlbAtsSktLcOb7zIETh/5916kp6k6ywqY FUW/g9dYXVmvjyk+UZF1sL4wg75/wGuVQUOdvXi359WQc4f+MKryqiXQubz3vVv/pjmh 0DTQ== X-Gm-Message-State: AMCzsaUdXVfy9nh/6lYzJD6SXKO/KdIeun9AgcyUit48OjIwVuHf4vkm WGMHv3zp4WrPaJQ6owXvy0LsxM4a X-Google-Smtp-Source: AOwi7QCODndHkTPsoZXHM+NqwMwkWxGhD9j5e/duEJ5g8TmNxjDLI0Hg26MUeVk0gRJvKlb9o/nT8A== X-Received: by 10.223.163.208 with SMTP id m16mr2406019wrb.63.1507812313423; Thu, 12 Oct 2017 05:45:13 -0700 (PDT) Received: from [192.168.2.52] ([217.41.35.220]) by smtp.gmail.com with ESMTPSA id r44sm23455401wrb.37.2017.10.12.05.45.11 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Oct 2017 05:45:12 -0700 (PDT) Subject: Re: Another 11.1-RELEASE install minor annoyance (ntpd) To: freebsd-questions@freebsd.org References: From: Dave B Message-ID: Date: Thu, 12 Oct 2017 13:45:10 +0100 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Content-Language: en-GB X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Oct 2017 12:45:16 -0000 On 12/10/17 13:00, freebsd-questions-request@freebsd.org wrote: > All your Linksys needs for NTP support is to allow UDP to any, port 123. > And the response packets, obviously. > > Cheers, > > Matthew Usually, that will be the normal default NAT router behaviour, incoming packets from a requested site (as signified by previous outgoing packets to the same site) will pass back into the LAN unmolested and be directed to the requesting local IP address. Unless you or someone else has intentionally blocked NTP traffic at your border.   (I've yet to find even an ISP supplied box that has NTP blocked, as a "user".) About the only time (pun unintended) you need to poke a hole in a border/gateway/firewall, is if you want to run a publicly accessible NTP (or any other) server.  Then, you do need to poke a hole (usually port 123 for NTP) so the great unwashed web can reach into your shiny new machine. In such cases, it's also wise to keep all the NTPD baggage up to date.  I'm not aware of any current issues, but in the not too distant past "there have been some issues that were exploited for DDoS atacks!" (I don't know.  Is it possible to jail a NTP server?) PS: I take it you know about the NTP pool project?   Not suggesting you join it (unless you wish to) but as an external resource for a LAN based machine to sync to, it is a superbly reliable resource.   Virtually guaranteed to be a better source of time than your ISP's servers (that here in the UK seem to reside on already very busy border/gateway machines.) PPS: If you have an unreliable or a throttled internet service.  There is the option of using a GPS receiver that also has a PPS signal output, so your local NTP server stays accurate, even if it can't reach out to other NTP servers.. For example... http://www.satsignal.eu/ntp/FreeBSD-GPS-PPS.htm   (Old in respect to FreeBSD, but the principles are sound.) But we're getting well into "Time Nuts" territory in that case. It was the need for an accurate and more importantly "stable" local time source (that didn't drift +- some seconds during the day, due to my own ISP "messing things about") that I learnt about FreeBSD in the first place. Regards to All. Dave B.