Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Add access restrictions to ntpd

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    7 Posts 4 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gogol
      last edited by

      I would add the line:

      restrict default kod nomodify notrap nopeer

      to the ntpd.conf for security, so users are unable to modify the daemon.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Here ya go:

        https://github.com/bsdperimeter/pfsense/commit/7b27db030c373778a727195e77928e7301b4c6d6
        (added a -6 line too)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          so that modifies the default - what if we don't want the same settings as him ;)

          Can we get some method to edit these types of restrictions - there was another thread where someone was asking for that as well.  I currently don't have any issues with those settings currently.  But other users might.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            patches accepted…

            If someone wants to make gui knobs, have at it. :-)

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • G
              gogol
              last edited by

              @jimp:

              Here ya go:

              https://github.com/bsdperimeter/pfsense/commit/7b27db030c373778a727195e77928e7301b4c6d6
              (added a -6 line too)

              According to the manual a -6 line is not necessary:http://www.eecis.udel.edu/~mills/ntp/html/access.html

              A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries.

              Thanks for the modification. I will try to dive into it how to change settings in the GUI.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Other pages specifically mention requiring it, and it doesn't seem to hurt, so better safe than sorry.

                But if someone wants to test it, feel free…

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • C
                  charliem
                  last edited by

                  @jimp:

                  patches accepted…

                  If someone wants to make gui knobs, have at it. :-)

                  I've done some minimal additions to generate offset and frequency graphs with rrdtool, for testing the 2.1 ntp daemon.  I can supply the shell lines to generate the ntpd stats (below), but I'm not too sure I could integrate rrdtool ntp info into the existing GUI rddtool graphs.  Would be great to be able to track the performance of your ntpd server with a tab on the RRD graph page.  Where are the RRD databases first initialized?  Need to create one before using script below.

                  BTW, I noticed ntpd offset swings of about -600 to +700 microseconds with /usr/local/bin/ntpd (running 2.1snapshot ova in virtual box, syncing to a stratum 1 server on a local subnet).  The swings went down to -150 to +150 microseconds when I reverted to /usr/bin/ntpd.

                  SImple shell script for offset & frequency; change as needed:

                  
#!/bin/sh
counter=1
while [ "$counter" -ne 0 ]
do
DATA=`ntpdc -c kerninfo | awk '/^pll offset/ {printf $3*1000000}; /pll frequency/ {printf ":"$3}'`
#echo ${DATA}
/usr/bin/nice -n 20 /usr/local/bin/rrdtool update /var/db/rrd/ntp_stats.rrd N:${DATA}
sleep 60
done
                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.