On Thu, 22 Jan 2004 02:21:56 -0700
"Edward Aronyk" <[EMAIL PROTECTED]> wrote:
> Good day all,
>
> I'm attempting to setup NTP on two FreeBSD servers. To maximize
> security, I have configured NTP to only synchronize itself from a few
> other servers, and not offer NTP to other servers. The server runs
> IPF, which also blocks access to NTP. The problem is, the servers
> don't seem to update the time at all. I know ntp is running because it
> updates the driftfile, and ps shows it's active:
>
> # ps -aux | grep ntp
> root 81 0.0 0.2 1328 960 ?? Ss9Jan04 1:06.65
> /usr/sbin/ntpd -p /var/run/ntpd.pid
> root 83 0.0 0.2 1364 992 ?? S 9Jan04 0:15.67
> /usr/sbin/ntpd -p /var/run/ntpd.pid
> root47532 0.0 0.0 304 164 p0 R+2:14AM 0:00.00
> grep ntp
>
> I can't seem to connect to it locally, however:
>
> # ntpq -p
> 127.0.0.1: timed out, nothing received
> ***Request timed out
>
> It is properly started from rc.conf:
>
> # cat /etc/rc.conf | grep ntp
> xntpd_enable="YES"
>
> And it does seem to be started during bootup:
>
> # cat /var/log/messages | grep ntp
> Jan 4 01:27:43 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0
> Jan 4 01:27:43 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0
> intpin 2
> Jan 4 01:27:43 boudica ntpd[82]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT
> 2003(1)
> Jan 4 01:27:43 boudica ntpd[82]: kernel time discipline status 2040
> Jan 9 20:51:21 boudica /kernel: IOAPIC #0 intpin 2 -> irq 0
> Jan 9 20:51:21 boudica /kernel: APIC_IO: routing 8254 via IOAPIC #0
> intpin 2
> Jan 9 20:51:21 boudica ntpd[81]: ntpd 4.1.0-a Mon Oct 13 17:59:47 MDT
> 2003(1)
> Jan 9 20:51:21 boudica ntpd[81]: kernel time discipline status 2040
>
> Does anyone have any advice? I'd prefer to leave the NTP port closed
> if possible. This problem is present for me on both FreeBSD 4.8 and
> 5.1. I have included my NTP configuration and IPF ruleset below incase
> it helps anyone.
>
> ---ntp.conf---
> # cat /etc/ntp.conf
> server subitaneous.cpsc.ucalgary.ca prefer
> server tick.mit.edu
> server ntp1.cmc.ec.gc.ca
> server ntp2.cmc.ec.gc.ca
> server clock1.unc.edu
>
> driftfile /etc/ntp.drift
>
> restrict default ignore
>
> ---ntp.drift---
> # cat /etc/ntp.drift
> 0.000
>
> ---ipf.rules---
> # cat /etc/ipf.rules
> # Default deny
> block in on fxp0
>
> # Pass in and out on loopback
> pass in quick on lo0
> pass out quick on lo0
>
> # Anti-spoofing
> block in quick on fxp0 from 192.168.0.0/16 to any
> block in quick on fxp0 from 172.16.0.0/12 to any
> block in quick on fxp0 from 10.0.0.0/8 to any
> block in quick on fxp0 from 127.0.0.1/8 to any
> block in quick on fxp0 from 0.0.0.0/8 to any
>
> # Allow certain useful ICMP packets
> pass in quick on fxp0 proto icmp from any to any icmp-type 0
> pass in quick on fxp0 proto icmp from any to any icmp-type 8
> pass in quick on fxp0 proto icmp from any to any icmp-type 11
> block in log quick on fxp0 proto icmp from any to any
>
> # Allow outbound connections
> pass out quick on fxp0 proto tcp/udp from any to any keep state
> pass out quick on fxp0 proto icmp from any to any keep state
>
> # Allow inbound useful packets
> pass in quick on fxp0 proto tcp from any to any port = 22 flags S keep
> state keep frags # SSH
> pass in quick on fxp0 proto tcp from any to any port = 25 flags S keep
> state keep frags # SMTP
> pass in quick on fxp0 proto tcp from any to any port = 80 flags S keep
> state keep frags # HTTP
> pass in quick on fxp0 proto tcp from any to any port = 110 flags S
> keep state keep frags # POP
> pass in quick on fxp0 proto tcp from any to any port = 143 flags S
> keep state keep frags # IMAP
> pass in quick on fxp0 proto tcp from any to any port = 993 flags S
> keep state keep frags # IMAP/SSL
>
>
>
> Thanks for your time,
> Edward Aronyk
> [EMAIL PROTECTED]
>
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
Hi,
Not 100% sure on this but I think you need to include the loopback in
your server list in ntp.conf, especially since you're specifying
default ignore:
server 127.0.0.1
Cheers,
EB
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"