Help me get NTP fixed up properly!



  • NTP gives us some items in the log such as:

    
    Oct 23 07:25:19	ntpd[84878]: restrict ::: KOD does nothing without LIMITED.
    Oct 23 07:25:19	ntpd[84878]: restrict default: KOD does nothing without LIMITED.
    
    

    Why are we seeing "KOD does nothing without LIMITED"?  Hmmm, seems pfSense fell victim to the worst NTP practical joke. Somewhere someone decided that it would be funny to recommend kod without limited, but kod is useless without limited, so wherever you see "kod" you should change it to "kod limited".

    The pfSense NTP.conf looks like this:

    
    # 
    # pfSense ntp configuration file 
    # 
    
    tinker panic 0 
    
    # Upstream Servers
    server 0.pfsense.pool.ntp.org iburst maxpoll 9
    disable monitor
    enable stats
    statistics clockstats
    statsdir /var/log/ntp
    logconfig =syncall +clockall
    driftfile /var/db/ntpd.drift
    restrict default kod nomodify notrap nopeer
    restrict -6 default kod nomodify notrap nopeer
    interface ignore all
    interface listen re2
    
    

    These lines should be modified to:

    
    restrict default kod limited nomodify notrap nopeer
    restrict -6 default kod limited nomodify notrap nopeer
    
    

    I'd be happy to submit a pull request on github to fix this but I don't understand the code base and how this ntp.conf file gets created.  I'd appreciate it if someone could point me in the right direction.

    Also I am seeing some IPv6 stuff:

    
    Oct 23 07:25:19	ntpd[84878]: setsockopt IPV6_MULTICAST_IF 0 for fe80::20d:b9ff:fe34:18ce%3 fails: Can't assign requested address
    Oct 23 07:25:19	ntpd[84878]: Listen normally on 3 re2 [fe80::20d:b9ff:fe34:18ce%3]:123
    
    

    So I looked into that and I think the ntp.conf file should look more like this:

    
    # By default, exchange time with everybody, but don't allow configuration:
    restrict -4 default kod limited notrap nomodify nopeer noquery
    #restrict -6 default kod limited notrap nomodify nopeer noquery
    
    # Local users may interrogate the NTP server more closely,
    # or for security, only accept NTP traffic from the following hosts:
    restrict 127.0.0.1
    restrict -6 ::1
    
    

    Or, we could turn off IPv6 via NTPD_OPTS='-4 -g' but I don't think that is a good option unless we remove that if someone turns on IPv6 support.

    Thoughts? Suggestions?



  • The ntp.conf is created by the "system.inc" in "/etc/inc"
    What you want to look at is this function "system_ntp_configure".

    
    	$ntpcfg .= "disable monitor\n";
    	$ntpcfg .= "enable stats\n";
    	$ntpcfg .= "statistics clockstats\n";
    	$ntpcfg .= "statsdir {$statsdir}\n";
    	$ntpcfg .= "logconfig =syncall +clockall\n";
    	$ntpcfg .= "driftfile {$driftfile}\n";
    	$ntpcfg .= "restrict default limited kod nomodify notrap nopeer noquery\n";
    	$ntpcfg .= "restrict -6 default limited kod nomodify notrap nopeer noquery\n";
    	$ntpcfg .= "restrict 192.168.0.1 mask 255.255.255.0 limited kod nomodify notrap nopeer\n";
    	$ntpcfg .= "restrict 127.0.0.1\n";
    	$ntpcfg .= "restrict -6 ::1\n";
    
    

    This code gets applied/saved when saving the "General setup" page in the GUI



  • Both errors are non critical and should have no effect on NTP working with IPv4.

    
    Oct 23 07:25:19	ntpd[84878]: restrict ::: KOD does nothing without LIMITED.
    Oct 23 07:25:19	ntpd[84878]: restrict default: KOD does nothing without LIMITED.
    
    

    Seems to have been fixed in 2.2beta. It's just a minor configuration mismatch in 2.1.X.



  • @fragged:

    Both errors are non critical and should have no effect on NTP working with IPv4.

    
    Oct 23 07:25:19	ntpd[84878]: restrict ::: KOD does nothing without LIMITED.
    Oct 23 07:25:19	ntpd[84878]: restrict default: KOD does nothing without LIMITED.
    
    

    Seems to have been fixed in 2.2beta. It's just a minor configuration mismatch in 2.1.X.

    I don't think it's a minor mismatch since in my box those are the last lines right before ntp crashes and have to be restarted. No other messages, just stops. I'm still using 2.1.3-RELEASE though, so I'm only mentioning just in case this helps understanding the problem. This box has a NAT'ed WAN interface (192.168.x.x) if that matter.

    Regards.



  • for 2.1,5 only:

    Best way to apply that patches is via the package "System Patches"

    Add the following into patch contents:

    --- system.inc.orig
    +++ system.inc
    @@ -1321,2 +1321,2 @@
    -	$ntpcfg .= "restrict default kod nomodify notrap nopeer\n";
    -	$ntpcfg .= "restrict -6 default kod nomodify notrap nopeer\n";
    +	$ntpcfg .= "restrict default kod limited nomodify notrap nopeer noquery\n";
    +	$ntpcfg .= "restrict -6 default kod limited nomodify notrap nopeer noquery\n";
    
    

    and don't forget to add the base directory /etc/inc

    Tick Auto apply to get it loaded whenever a boot occurs…


  • Rebel Alliance Global Moderator

    So tested out your patch - working great, that error is now gone.  But I removed not noquery, I want to be able to query it from my local lan, the only interface it is listening on, etc.



  • @johnpoz:

    So tested out your patch - working great, that error is now gone.  But I removed not noquery, I want to be able to query it from my local lan, the only interface it is listening on, etc.

    Add these lines and leave the noquery

    
    +	$ntpcfg .= "restrict 192.168.0.1 mask 255.255.255.0 limited kod nomodify notrap nopeer\n";
    +	$ntpcfg .= "restrict 127.0.0.1\n";
    +	$ntpcfg .= "restrict -6 ::1\n";
    
    

    The first line limits the local queries, assuming the LAN is 192.168.0.1
    The second and last line allow for the loopback (pfsense itself) to query the ntp unlimited via ipv4 or ipv6.

    So leaving the noquery lines intact will default deny any other interfaces you don't want access to the ntp.

    
    --- system.inc.orig
    +++ system.inc
    @@ -1321,2 +1321,2 @@
    -	$ntpcfg .= "restrict default kod nomodify notrap nopeer\n";
    -	$ntpcfg .= "restrict -6 default kod nomodify notrap nopeer\n";
    +	$ntpcfg .= "restrict default kod limited nomodify notrap nopeer noquery\n";
    +	$ntpcfg .= "restrict -6 default kod limited nomodify notrap nopeer noquery\n";
    @@ -1323,1 +1323,4 @@
    -
    +	$ntpcfg .= "restrict 192.168.0.1 mask 255.255.255.0 limited kod nomodify notrap nopeer\n";
    +	$ntpcfg .= "restrict 127.0.0.1\n";
    +	$ntpcfg .= "restrict -6 ::1\n";
    +
    
    

  • Rebel Alliance Global Moderator

    Thanks for fixing that up for the next guy..  But I only have ntp listening on my lan..  But yeah that looks like a better setup for someone might have opened it up to the public internet sort of thing.