Hello! Thank you for you comments. I toke a while do read the man pages and also to make some searches... Man page says: "Time can also be fetched from TLS HTTPS servers to reduce the impact of unauthenticated NTP man-in-the-middle attacks."
So it seams that we can assume that the clock is still corrected having only "constrains" in ntpd.conf. Maybe that is not enough to have “ntpctl -s status” saying "clock synced". This is an interesting subject and it would be great to have it really clear I respect you opinion. And I know I am just an openbsd rookie, but I believe that there can be some contradiction between what the man page says and your response. Thank you and I hope that this subject can convince more "experts" to give their valuable feedback. Thank you, Daniel On Sun, May 10, 2026 at 8:35 PM Peter Hessler <[email protected]> wrote: > On 2026 May 10 (Sun) at 18:53:15 +0100 (+0100), Daniel wrote: > :Hello !! > : > :I am a beginner in openbsd. > :After instalI and basic configuration I am trying to configure pf. I began > :with something very restrictive and blocked ntpd to go out to port 123. I > > That won't work. > > > :did it because I understood that I can configure ntpd.conf to use only the > :restrictions through https (which is open in the firewall). > > Sorry, but you misunderstood how constraints work. They will put a > barrier on the time window, but not be used for an actual sync. > > > :But when I do “ntpctl-s status” I am getting: > :constrain offset -1s, no peers and no sensors configured > :clock unsynced > :Does that mean that ntpd is not able to sync the clock ? > :If yes l, what I am doing wrong ? > > You'll need to allow udp/123 to your listed time source servers. > > (Note that if you use dynamic sources such as "pool.ntp.org", then keep > in mind that pf will only use what was resolved when pfctl was last ran, > which may or may not match what ntpd has resolved and is trying to use.) > > > : > :Thank you!! > : > :Daniel > > -peter >
