nuxx.net

restrict default ignore

In setting up NTP on nuxx.net I ran into a bit of a problem: time wouldn’t sync. My configuration was fairly simple, following the information on support.ntp.org for using the pool of North American servers, blocking external access, but allowing ntpq (et al) to work from localhost:

server 0.north-america.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.north-america.pool.ntp.org
server 3.north-america.pool.ntp.org

driftfile /var/db/ntp.drift

restrict default ignore
restrict 127.0.0.1

However, it seemed that no matter what I tried (disabling the firewall, adding exceptions for TCP/UDP 123, changing order of the restrict statements, etc) the box wasn’t able to contact its peers:

c0nsumer@banstyle:~> ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 217.160.254.116 .INIT.          16 u    -   64    0    0.000    0.000 4000.00
 209.132.176.4   .INIT.          16 u    -   64    0    0.000    0.000 4000.00
 209.40.97.141   .INIT.          16 u    -   64    0    0.000    0.000 4000.00
 216.14.98.234   .INIT.          16 u    -   64    0    0.000    0.000 4000.00

After some more digging I found that the restrict default ignore option, which is widely recommended to keep external folks from connecting to your ntpd, prevents synchronization from happening, even with the exception for localhost.

Having realized that, my ntp.conf is now just the basic config for the NA servers and the drift file, and it all works great:

server 0.north-america.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.north-america.pool.ntp.org
server 3.north-america.pool.ntp.org

driftfile /var/db/ntp.drift

Yep, it’s syncing just fine:

c0nsumer@banstyle:~> ntpq -pn
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*217.160.254.116 18.26.4.105      2 u  200  256   17   37.192    4.619   1.461
 209.132.176.4   66.187.233.4     2 u  201  256   17  101.819   21.118   9.529
 209.40.97.141   192.5.41.40      2 u  197  256   17   38.565  -31.122  21.081
 216.14.98.234   216.218.254.202  2 u  200  256   17   18.731    3.940   4.848

c0nsumer@banstyle:~> ntptrace
localhost: stratum 3, offset 0.004619, root distance 0.043540
server.donkeyfly.com: stratum 2, offset -0.000686, root distance 0.006361
bonehed.lcs.mit.edu: stratum 1, offset 0.000018, root distance 0.000000, refid 'CDMA'

Now I just let pf restrict access to NTP. That works just fine.

Exit mobile version