Help me get NTP fixed up properly!
-
NTP gives us some items in the log such as:
Oct 23 07:25:19 ntpd[84878]: restrict ::: KOD does nothing without LIMITED. Oct 23 07:25:19 ntpd[84878]: restrict default: KOD does nothing without LIMITED.
Why are we seeing "KOD does nothing without LIMITED"? Hmmm, seems pfSense fell victim to the worst NTP practical joke. Somewhere someone decided that it would be funny to recommend kod without limited, but kod is useless without limited, so wherever you see "kod" you should change it to "kod limited".
The pfSense NTP.conf looks like this:
# # pfSense ntp configuration file # tinker panic 0 # Upstream Servers server 0.pfsense.pool.ntp.org iburst maxpoll 9 disable monitor enable stats statistics clockstats statsdir /var/log/ntp logconfig =syncall +clockall driftfile /var/db/ntpd.drift restrict default kod nomodify notrap nopeer restrict -6 default kod nomodify notrap nopeer interface ignore all interface listen re2
These lines should be modified to:
restrict default kod limited nomodify notrap nopeer restrict -6 default kod limited nomodify notrap nopeer
I'd be happy to submit a pull request on github to fix this but I don't understand the code base and how this ntp.conf file gets created. I'd appreciate it if someone could point me in the right direction.
Also I am seeing some IPv6 stuff:
Oct 23 07:25:19 ntpd[84878]: setsockopt IPV6_MULTICAST_IF 0 for fe80::20d:b9ff:fe34:18ce%3 fails: Can't assign requested address Oct 23 07:25:19 ntpd[84878]: Listen normally on 3 re2 [fe80::20d:b9ff:fe34:18ce%3]:123
So I looked into that and I think the ntp.conf file should look more like this:
# By default, exchange time with everybody, but don't allow configuration: restrict -4 default kod limited notrap nomodify nopeer noquery #restrict -6 default kod limited notrap nomodify nopeer noquery # Local users may interrogate the NTP server more closely, # or for security, only accept NTP traffic from the following hosts: restrict 127.0.0.1 restrict -6 ::1
Or, we could turn off IPv6 via
NTPD_OPTS='-4 -g'
but I don't think that is a good option unless we remove that if someone turns on IPv6 support.Thoughts? Suggestions?
-
The ntp.conf is created by the "system.inc" in "/etc/inc"
What you want to look at is this function "system_ntp_configure".$ntpcfg .= "disable monitor\n"; $ntpcfg .= "enable stats\n"; $ntpcfg .= "statistics clockstats\n"; $ntpcfg .= "statsdir {$statsdir}\n"; $ntpcfg .= "logconfig =syncall +clockall\n"; $ntpcfg .= "driftfile {$driftfile}\n"; $ntpcfg .= "restrict default limited kod nomodify notrap nopeer noquery\n"; $ntpcfg .= "restrict -6 default limited kod nomodify notrap nopeer noquery\n"; $ntpcfg .= "restrict 192.168.0.1 mask 255.255.255.0 limited kod nomodify notrap nopeer\n"; $ntpcfg .= "restrict 127.0.0.1\n"; $ntpcfg .= "restrict -6 ::1\n";
This code gets applied/saved when saving the "General setup" page in the GUI
-
Both errors are non critical and should have no effect on NTP working with IPv4.
Oct 23 07:25:19 ntpd[84878]: restrict ::: KOD does nothing without LIMITED. Oct 23 07:25:19 ntpd[84878]: restrict default: KOD does nothing without LIMITED.
Seems to have been fixed in 2.2beta. It's just a minor configuration mismatch in 2.1.X.
-
Both errors are non critical and should have no effect on NTP working with IPv4.
Oct 23 07:25:19 ntpd[84878]: restrict ::: KOD does nothing without LIMITED. Oct 23 07:25:19 ntpd[84878]: restrict default: KOD does nothing without LIMITED.
Seems to have been fixed in 2.2beta. It's just a minor configuration mismatch in 2.1.X.
I don't think it's a minor mismatch since in my box those are the last lines right before ntp crashes and have to be restarted. No other messages, just stops. I'm still using 2.1.3-RELEASE though, so I'm only mentioning just in case this helps understanding the problem. This box has a NAT'ed WAN interface (192.168.x.x) if that matter.
Regards.
-
for 2.1,5 only:
Best way to apply that patches is via the package "System Patches"
Add the following into patch contents:
--- system.inc.orig +++ system.inc @@ -1321,2 +1321,2 @@ - $ntpcfg .= "restrict default kod nomodify notrap nopeer\n"; - $ntpcfg .= "restrict -6 default kod nomodify notrap nopeer\n"; + $ntpcfg .= "restrict default kod limited nomodify notrap nopeer noquery\n"; + $ntpcfg .= "restrict -6 default kod limited nomodify notrap nopeer noquery\n";
and don't forget to add the base directory /etc/inc
Tick Auto apply to get it loaded whenever a boot occurs…
-
So tested out your patch - working great, that error is now gone. But I removed not noquery, I want to be able to query it from my local lan, the only interface it is listening on, etc.
-
So tested out your patch - working great, that error is now gone. But I removed not noquery, I want to be able to query it from my local lan, the only interface it is listening on, etc.
Add these lines and leave the noquery
+ $ntpcfg .= "restrict 192.168.0.1 mask 255.255.255.0 limited kod nomodify notrap nopeer\n"; + $ntpcfg .= "restrict 127.0.0.1\n"; + $ntpcfg .= "restrict -6 ::1\n";
The first line limits the local queries, assuming the LAN is 192.168.0.1
The second and last line allow for the loopback (pfsense itself) to query the ntp unlimited via ipv4 or ipv6.So leaving the noquery lines intact will default deny any other interfaces you don't want access to the ntp.
--- system.inc.orig +++ system.inc @@ -1321,2 +1321,2 @@ - $ntpcfg .= "restrict default kod nomodify notrap nopeer\n"; - $ntpcfg .= "restrict -6 default kod nomodify notrap nopeer\n"; + $ntpcfg .= "restrict default kod limited nomodify notrap nopeer noquery\n"; + $ntpcfg .= "restrict -6 default kod limited nomodify notrap nopeer noquery\n"; @@ -1323,1 +1323,4 @@ - + $ntpcfg .= "restrict 192.168.0.1 mask 255.255.255.0 limited kod nomodify notrap nopeer\n"; + $ntpcfg .= "restrict 127.0.0.1\n"; + $ntpcfg .= "restrict -6 ::1\n"; +
-
Thanks for fixing that up for the next guy.. But I only have ntp listening on my lan.. But yeah that looks like a better setup for someone might have opened it up to the public internet sort of thing.