How to configure NTP server (ntpd) to synchronize
server clock over the Internet on FreeBSD
On FreeBSD
ntpd ,
ntpdc ,
ntpdate ,
ntpq doesn't need to be installed via a specific package
like on GNU/Linux as they're part of the
FreeBSD world
(binary standardly shipped with FreeBSD basis system).
The
FreeBSD handbook has a chapter explaining thoroughfully on ntp on
FreeBSD ,however for the lazy ones here is a short few steps
tutorial on
how to install and configure ntpd on bsd :
1. Copy sample ntp.conf file to /etc/
freebsd# cp -rpf /usr/src/etc/ntp.conf
/etc/ntp/
No need for any modifications if you don't want to apply some
specific restrictions on whom can access the ntpd server. If you
update regularly the FreeBSD system with
freebsd-update or
directly by
rebuilding the FreeBSD kernel / world adding
restrictions might be not necessery..
If you check
/usr/src/etc/ntp.conf you will notice
freebsd project people are running their own ntp servers ,
by default ntpd will use this servers to fetch timing information.
The exact server hosts which as of time of writting are used can be
seen in
ntp.conf and are:
server 0.freebsd.pool.ntp.org iburst maxpoll 9
server 1.freebsd.pool.ntp.org iburst maxpoll 9
server 2.freebsd.pool.ntp.org iburst maxpoll 9
2. Add ntpd daemon to load on system boot via
/etc/rc.conf
By default ntpd is disabled on FreeBSD, you can see if it is
disabled or enabled by invoking:
freebsd# /etc/rc.d/ntpd rcvar
# ntpd
ntpd_enable=NO
To Enable ntpd to get loaded each time it boots , following
3 lines has to be added in /etc/rc.conf .
ntpdate_enable="YES"
ntpdate_flags="europe.pool.ntp.org"
ntpd_enable="YES"
Quick way to add them is to use echo :
echo 'ntpdate_enable="YES" >> /etc/rc.conf
echo 'ntpdate_flags="europe.pool.ntp.org" >>
/etc/rc.conf
echo 'ntpd_enable="YES" >> /etc/rc.conf
Now as the 3 rc.conf vars are set to "YES", the ntpd can be
started. Without having this variables in /etc/rc.conf ,
"/etc/rc.d/ntpd start" will refuse to start ntpd.
3. Start the ntpd service
freebsd# /etc/rc.d/ntpd start
...
One interesting note to make is ntpd can also operate without
specifying any config file (/etc/ntp.conf), the only requirement
for the server to start is to have a properly set ntpdate server,
like lets say (ntpdate_flags="europe.pool.ntp.org")
4. Permit only certain host or localhost to "talk" to the ntpd
server
If you want to imply some ntp server restrictions, the
configuration directives are same like on Linux:
To allow only a a host inside a local network with IP
192.168.0.2 as well as localhost, to be able to fetch time
information via ntpd server put inside
/etc/ntp.conf:
restrict 127.0.0.1
restrict 192.168.0.1 mask 255.255.255.0 nomodify
notrap
If you want to prohibit ntpd to serve as a Network Time Server, to
any other host except localhost, add in /etc/ntp.conf
:
restrict default ignore
Allowing and denying certain hosts can be also done on pf (packet
filter) or ipfw firewall level, and in my view is easier (and less
confusing), than adding restrictions through ntp.conf. Besides that
using directly the server firewall to apply restrictions is more
secure. If for instance a remote exploit vulnerability is
discovered affecting your ntpd server. this will not affect you
externally as access to the UDP port 123 will be disabled on a
firewall level.
Something good to mention is NTP servers communicate between each
other using the UDP source/destination (port 123). Hence if the
NTPD server has to be publicly accessible and there is a firewall
already implemented, access to source/dest port 123 should be
included in the configured firewall ...
5. Check if the ntp server is running properly / ntp server query
operations
[root@pcfreak /home/hipo]# ps axuww|grep -i ntp
root 15647 0.0 0.2 4672 1848 ?? Ss 2:49PM 0:00.04 /usr/sbin/ntpd -c
/etc/ntp.conf -p /var/run/ntpd.pid -f /var/db/ntpd.drift
To query the now running ntpd server as well as set various
configuration options "on the fly" (e.g. without need for ntp.conf
edits and init script restart), a tool called ntpdc exists.
ntpdc tool could be used to connect to localhost running
ntpd as well as to connect and manage remotely a ntpd server.
The most basic use of ntpdc is to check (server
peers).:
freebsd# ntpdc localhost
ntpdc> peers
remote local st poll reach delay offset disp
=======================================================================
=kgb.comnet.bg 83.228.93.76 2 64 377 0.00282 -0.050575
0.06059
*billing.easy-la 83.228.93.76 2 64 377 0.01068 -0.057400
0.06770
=ns2.novatelbg.n 83.228.93.76 2 64 377 0.01001 -0.055290
0.06058
ntpdc has also a non-interactive interface, handy if there
is a need for requests to a ntpd to be scripted. To check
ntpd server peers non-interactively:
freebsd# ntpdc -p localhost
=======================================================================
=kgb.comnet.bg 83.228.93.76 2 64 377 0.00284 -0.043157
0.06184
=billing.easy-la 83.228.93.76 2 64 377 0.01059 -0.042648
0.05811
*ns2.novatelbg.n 83.228.93.76 2 64 377 0.00996 -0.041097
0.06094
ntpdc has plenty of other ntpd query options, e.g. :
ntpdc> help
ntpdc commands:
addpeer controlkey fudge keytype quit timeout
addrefclock ctlstats help listpeers readkeys timerstats
addserver debug host loopinfo requestkey traps
addtrap delay hostnames memstats reset trustedkey
authinfo delrestrict ifreload monlist reslist unconfig
broadcast disable ifstats passwd restrict unrestrict
clkbug dmpeers iostats peers showpeer untrustedkey
clockstat enable kerninfo preset sysinfo version
clrtrap exit keyid pstats sysstats
ntpdc is an advanced query tool for ntpd , servers. Another
tool exists called ntpq which syntax is almost identical to ntpdc .
The main difference between the two is ntpq is a monitoring tool
mostly used just for monitoring purposes, where ntpdc can also
change plenty of things in the server configuration.
For people who want to learn more on ntpd the man page is a great
reading , containing chapters describing thoroughfully exactly how
NTPD time servers operate, etc.