mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-21 16:32:25 +01:00
9f5b5f5a4d
Our previous ntp.conf file configured 3 servers from freebsd.pool.ntp.org using 3 separate 'server' config lines. That is now replaced with a single 'pool' line which causes ntpd to add multiple servers from the pool. More than just making the config smaller, the pool feature in ntpd has one major advantage over configuring 3 separate servers from a pool: if a server that was added using a 'pool' statement provides bad time (initially or at some later date), ntpd automatically discards it and configures a new different server from the pool without needing to be restarted. These changes also add a 'tos' line to control how many pool servers get added, a 'restrict source' line that is required to allow ntpd to add new peers from the pool, and it deletes a 'restrict 127.127.1.0' line that does nothing and should never have been there (127.127.1.0 is not a valid IP address, it's a refclock identifier). Differential Revision: https://reviews.freebsd.org/D9011
107 lines
3.9 KiB
Plaintext
107 lines
3.9 KiB
Plaintext
#
|
|
# $FreeBSD$
|
|
#
|
|
# Default NTP servers for the FreeBSD operating system.
|
|
#
|
|
# Don't forget to enable ntpd in /etc/rc.conf with:
|
|
# ntpd_enable="YES"
|
|
#
|
|
# The driftfile is by default /var/db/ntpd.drift, check
|
|
# /etc/defaults/rc.conf on how to change the location.
|
|
#
|
|
|
|
#
|
|
# Set the target and limit for adding servers configured via pool statements
|
|
# or discovered dynamically via mechanisms such as broadcast and manycast.
|
|
# Ntpd automatically adds maxclock-1 servers from configured pools, and may
|
|
# add as many as maxclock*2 if necessary to ensure that at least minclock
|
|
# servers are providing good consistant time.
|
|
#
|
|
tos minclock 3 maxclock 6
|
|
|
|
#
|
|
# The following pool statement will give you a random set of NTP servers
|
|
# geographically close to you. A single pool statement adds multiple
|
|
# servers from the pool, according to the tos minclock/maxclock targets.
|
|
# See http://www.pool.ntp.org/ for details. Note, pool.ntp.org encourages
|
|
# users with a static IP and good upstream NTP servers to add a server
|
|
# to the pool. See http://www.pool.ntp.org/join.html if you are interested.
|
|
#
|
|
# The option `iburst' is used for faster initial synchronization.
|
|
#
|
|
pool 0.freebsd.pool.ntp.org iburst
|
|
|
|
#
|
|
# If you want to pick yourself which country's public NTP server
|
|
# you want to sync against, comment out the above pool, uncomment
|
|
# the next one, and replace CC with the country's abbreviation.
|
|
# Make sure that the hostname resolves to a proper IP address!
|
|
#
|
|
# pool 0.CC.pool.ntp.org iburst
|
|
|
|
#
|
|
# To configure a specific server, such as an organization-wide local
|
|
# server, add lines similar to the following. One or more specific
|
|
# servers can be configured in addition to, or instead of, any server
|
|
# pools specified above. When both are configured, ntpd first adds all
|
|
# the specific servers, then adds servers from the pool until the tos
|
|
# minclock/maxclock targets are met.
|
|
#
|
|
#server time.my-internal.org iburst
|
|
|
|
#
|
|
# Security:
|
|
#
|
|
# By default, only allow time queries and block all other requests
|
|
# from unauthenticated clients.
|
|
#
|
|
# The "restrict source" line allows peers to be mobilized when added by
|
|
# ntpd from a pool, but does not enable mobilizing a new peer association
|
|
# by other dynamic means (broadcast, manycast, ntpq commands, etc).
|
|
#
|
|
# See http://support.ntp.org/bin/view/Support/AccessRestrictions
|
|
# for more information.
|
|
#
|
|
restrict default limited kod nomodify notrap noquery nopeer
|
|
restrict -6 default limited kod nomodify notrap noquery nopeer
|
|
restrict source limited kod nomodify notrap noquery
|
|
|
|
#
|
|
# Alternatively, the following rules would block all unauthorized access.
|
|
#
|
|
#restrict default ignore
|
|
#restrict -6 default ignore
|
|
#
|
|
# In this case, all remote NTP time servers also need to be explicitly
|
|
# allowed or they would not be able to exchange time information with
|
|
# this server.
|
|
#
|
|
# Please note that this example doesn't work for the servers in
|
|
# the pool.ntp.org domain since they return multiple A records.
|
|
#
|
|
#restrict 0.pool.ntp.org nomodify nopeer noquery notrap
|
|
#restrict 1.pool.ntp.org nomodify nopeer noquery notrap
|
|
#restrict 2.pool.ntp.org nomodify nopeer noquery notrap
|
|
#
|
|
# The following settings allow unrestricted access from the localhost
|
|
restrict 127.0.0.1
|
|
restrict -6 ::1
|
|
|
|
#
|
|
# If a server loses sync with all upstream servers, NTP clients
|
|
# no longer follow that server. The local clock can be configured
|
|
# to provide a time source when this happens, but it should usually
|
|
# be configured on just one server on a network. For more details see
|
|
# http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
|
|
# The use of Orphan Mode may be preferable.
|
|
#
|
|
#server 127.127.1.0
|
|
#fudge 127.127.1.0 stratum 10
|
|
|
|
# See http://support.ntp.org/bin/view/Support/ConfiguringNTP#Section_6.14.
|
|
# for documentation regarding leapfile. Updates to the file can be obtained
|
|
# from ftp://time.nist.gov/pub/ or ftp://tycho.usno.navy.mil/pub/ntp/.
|
|
# Use either leapfile in /etc/ntp or weekly updated leapfile in /var/db.
|
|
#leapfile "/etc/ntp/leap-seconds"
|
|
leapfile "/var/db/ntpd.leap-seconds.list"
|