In setting up NTP on nuxx.net I ran into a bit of a problem: time wouldn’t sync. My configuration was fairly simple, following the information on support.ntp.org for using the pool of North American servers, blocking external access, but allowing ntpq (et al) to work from localhost:
server 0.north-america.pool.ntp.org server 1.north-america.pool.ntp.org server 2.north-america.pool.ntp.org server 3.north-america.pool.ntp.org driftfile /var/db/ntp.drift restrict default ignore restrict 127.0.0.1
However, it seemed that no matter what I tried (disabling the firewall, adding exceptions for TCP/UDP 123, changing order of the restrict statements, etc) the box wasn’t able to contact its peers:
c0nsumer@banstyle:~> ntpq -pn remote refid st t when poll reach delay offset jitter ============================================================================== 217.160.254.116 .INIT. 16 u - 64 0 0.000 0.000 4000.00 209.132.176.4 .INIT. 16 u - 64 0 0.000 0.000 4000.00 209.40.97.141 .INIT. 16 u - 64 0 0.000 0.000 4000.00 216.14.98.234 .INIT. 16 u - 64 0 0.000 0.000 4000.00
After some more digging I found that the restrict default ignore option, which is widely recommended to keep external folks from connecting to your ntpd, prevents synchronization from happening, even with the exception for localhost.
Having realized that, my ntp.conf is now just the basic config for the NA servers and the drift file, and it all works great:
server 0.north-america.pool.ntp.org server 1.north-america.pool.ntp.org server 2.north-america.pool.ntp.org server 3.north-america.pool.ntp.org driftfile /var/db/ntp.drift
Yep, it’s syncing just fine:
c0nsumer@banstyle:~> ntpq -pn remote refid st t when poll reach delay offset jitter ============================================================================== *217.160.254.116 18.26.4.105 2 u 200 256 17 37.192 4.619 1.461 209.132.176.4 66.187.233.4 2 u 201 256 17 101.819 21.118 9.529 209.40.97.141 192.5.41.40 2 u 197 256 17 38.565 -31.122 21.081 216.14.98.234 216.218.254.202 2 u 200 256 17 18.731 3.940 4.848 c0nsumer@banstyle:~> ntptrace localhost: stratum 3, offset 0.004619, root distance 0.043540 server.donkeyfly.com: stratum 2, offset -0.000686, root distance 0.006361 bonehed.lcs.mit.edu: stratum 1, offset 0.000018, root distance 0.000000, refid 'CDMA'
Now I just let pf restrict access to NTP. That works just fine.