From 796815cf85b3d666586edd6e0dbd859466232da8 Mon Sep 17 00:00:00 2001 From: cy Date: Wed, 29 Mar 2017 01:32:34 +0000 Subject: [PATCH] MFC r311103 (ian): Update ntp.conf to use the ntpd pool feature. Our previous ntp.conf file configured 3 servers from freebsd.pool.ntp.org using 3 separate 'server' config lines. That is now replaced with a single 'pool' line which causes ntpd to add multiple servers from the pool. More than just making the config smaller, the pool feature in ntpd has one major advantage over configuring 3 separate servers from a pool: if a server that was added using a 'pool' statement provides bad time (initially or at some later date), ntpd automatically discards it and configures a new different server from the pool without needing to be restarted. These changes also add a 'tos' line to control how many pool servers get added, a 'restrict source' line that is required to allow ntpd to add new peers from the pool, and it deletes a 'restrict 127.127.1.0' line that does nothing and should never have been there (127.127.1.0 is not a valid IP address, it's a refclock identifier). Reviewed by: cy MFC requested by: ache Differential Revision: https://reviews.freebsd.org/D9011 git-svn-id: svn://svn.freebsd.org/base/stable/10@316121 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- etc/ntp.conf | 52 ++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 16 deletions(-) diff --git a/etc/ntp.conf b/etc/ntp.conf index 64edd9377..977295ecd 100644 --- a/etc/ntp.conf +++ b/etc/ntp.conf @@ -11,28 +11,43 @@ # # -# The following three servers will give you a random set of three -# NTP servers geographically close to you. -# See http://www.pool.ntp.org/ for details. Note, the pool encourages +# Set the target and limit for adding servers configured via pool statements +# or discovered dynamically via mechanisms such as broadcast and manycast. +# Ntpd automatically adds maxclock-1 servers from configured pools, and may +# add as many as maxclock*2 if necessary to ensure that at least minclock +# servers are providing good consistant time. +# +tos minclock 3 maxclock 6 + +# +# The following pool statement will give you a random set of NTP servers +# geographically close to you. A single pool statement adds multiple +# servers from the pool, according to the tos minclock/maxclock targets. +# See http://www.pool.ntp.org/ for details. Note, pool.ntp.org encourages # users with a static IP and good upstream NTP servers to add a server # to the pool. See http://www.pool.ntp.org/join.html if you are interested. # # The option `iburst' is used for faster initial synchronization. # -server 0.freebsd.pool.ntp.org iburst -server 1.freebsd.pool.ntp.org iburst -server 2.freebsd.pool.ntp.org iburst -#server 3.freebsd.pool.ntp.org iburst +pool 0.freebsd.pool.ntp.org iburst # # If you want to pick yourself which country's public NTP server -# you want sync against, comment out the above servers, uncomment -# the next ones and replace CC with the country's abbreviation. -# Make sure that the hostnames resolve to a proper IP address! +# you want to sync against, comment out the above pool, uncomment +# the next one, and replace CC with the country's abbreviation. +# Make sure that the hostname resolves to a proper IP address! +# +# pool 0.CC.pool.ntp.org iburst + +# +# To configure a specific server, such as an organization-wide local +# server, add lines similar to the following. One or more specific +# servers can be configured in addition to, or instead of, any server +# pools specified above. When both are configured, ntpd first adds all +# the specific servers, then adds servers from the pool until the tos +# minclock/maxclock targets are met. # -# server 0.CC.pool.ntp.org iburst -# server 1.CC.pool.ntp.org iburst -# server 2.CC.pool.ntp.org iburst +#server time.my-internal.org iburst # # Security: @@ -40,11 +55,17 @@ server 2.freebsd.pool.ntp.org iburst # By default, only allow time queries and block all other requests # from unauthenticated clients. # +# The "restrict source" line allows peers to be mobilized when added by +# ntpd from a pool, but does not enable mobilizing a new peer association +# by other dynamic means (broadcast, manycast, ntpq commands, etc). +# # See http://support.ntp.org/bin/view/Support/AccessRestrictions # for more information. # -restrict default limited kod nomodify notrap nopeer noquery -restrict -6 default limited kod nomodify notrap nopeer noquery +restrict default limited kod nomodify notrap noquery nopeer +restrict -6 default limited kod nomodify notrap noquery nopeer +restrict source limited kod nomodify notrap noquery + # # Alternatively, the following rules would block all unauthorized access. # @@ -65,7 +86,6 @@ restrict -6 default limited kod nomodify notrap nopeer noquery # The following settings allow unrestricted access from the localhost restrict 127.0.0.1 restrict -6 ::1 -restrict 127.127.1.0 # # If a server loses sync with all upstream servers, NTP clients -- 2.42.0