Add access restrictions to ntpd
-
I would add the line:
restrict default kod nomodify notrap nopeer
to the ntpd.conf for security, so users are unable to modify the daemon.
-
Here ya go:
https://github.com/bsdperimeter/pfsense/commit/7b27db030c373778a727195e77928e7301b4c6d6
(added a -6 line too) -
so that modifies the default - what if we don't want the same settings as him ;)
Can we get some method to edit these types of restrictions - there was another thread where someone was asking for that as well. I currently don't have any issues with those settings currently. But other users might.
-
patches accepted…
If someone wants to make gui knobs, have at it. :-)
-
Here ya go:
https://github.com/bsdperimeter/pfsense/commit/7b27db030c373778a727195e77928e7301b4c6d6
(added a -6 line too)According to the manual a -6 line is not necessary:http://www.eecis.udel.edu/~mills/ntp/html/access.html
A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries.
Thanks for the modification. I will try to dive into it how to change settings in the GUI.
-
Other pages specifically mention requiring it, and it doesn't seem to hurt, so better safe than sorry.
But if someone wants to test it, feel free…
-
patches accepted…
If someone wants to make gui knobs, have at it. :-)
I've done some minimal additions to generate offset and frequency graphs with rrdtool, for testing the 2.1 ntp daemon. I can supply the shell lines to generate the ntpd stats (below), but I'm not too sure I could integrate rrdtool ntp info into the existing GUI rddtool graphs. Would be great to be able to track the performance of your ntpd server with a tab on the RRD graph page. Where are the RRD databases first initialized? Need to create one before using script below.
BTW, I noticed ntpd offset swings of about -600 to +700 microseconds with /usr/local/bin/ntpd (running 2.1snapshot ova in virtual box, syncing to a stratum 1 server on a local subnet). The swings went down to -150 to +150 microseconds when I reverted to /usr/bin/ntpd.
SImple shell script for offset & frequency; change as needed:
#!/bin/sh counter=1 while [ "$counter" -ne 0 ] do DATA=`ntpdc -c kerninfo | awk '/^pll offset/ {printf $3*1000000}; /pll frequency/ {printf ":"$3}'` #echo ${DATA} /usr/bin/nice -n 20 /usr/local/bin/rrdtool update /var/db/rrd/ntp_stats.rrd N:${DATA} sleep 60 done
