Update ntp.conf to use the ntpd pool feature.

Our previous ntp.conf file configured 3 servers from freebsd.pool.ntp.org
using 3 separate 'server' config lines.  That is now replaced with a single
'pool' line which causes ntpd to add multiple servers from the pool.

More than just making the config smaller, the pool feature in ntpd has one
major advantage over configuring 3 separate servers from a pool: if a server
that was added using a 'pool' statement provides bad time (initially or at
some later date), ntpd automatically discards it and configures a new
different server from the pool without needing to be restarted.

These changes also add a 'tos' line to control how many pool servers get
added, a 'restrict source' line that is required to allow ntpd to add new
peers from the pool, and it deletes a 'restrict 127.127.1.0' line that does
nothing and should never have been there (127.127.1.0 is not a valid IP
address, it's a refclock identifier).

Differential Revision:	https://reviews.freebsd.org/D9011
This commit is contained in:
Ian Lepore 2017-01-02 15:19:22 +00:00
parent 3795066839
commit 9f5b5f5a4d

View File

@ -11,28 +11,43 @@
#
#
# The following three servers will give you a random set of three
# NTP servers geographically close to you.
# See http://www.pool.ntp.org/ for details. Note, the pool encourages
# Set the target and limit for adding servers configured via pool statements
# or discovered dynamically via mechanisms such as broadcast and manycast.
# Ntpd automatically adds maxclock-1 servers from configured pools, and may
# add as many as maxclock*2 if necessary to ensure that at least minclock
# servers are providing good consistant time.
#
tos minclock 3 maxclock 6
#
# The following pool statement will give you a random set of NTP servers
# geographically close to you. A single pool statement adds multiple
# servers from the pool, according to the tos minclock/maxclock targets.
# See http://www.pool.ntp.org/ for details. Note, pool.ntp.org encourages
# users with a static IP and good upstream NTP servers to add a server
# to the pool. See http://www.pool.ntp.org/join.html if you are interested.
#
# The option `iburst' is used for faster initial synchronization.
#
server 0.freebsd.pool.ntp.org iburst
server 1.freebsd.pool.ntp.org iburst
server 2.freebsd.pool.ntp.org iburst
#server 3.freebsd.pool.ntp.org iburst
pool 0.freebsd.pool.ntp.org iburst
#
# If you want to pick yourself which country's public NTP server
# you want sync against, comment out the above servers, uncomment
# the next ones and replace CC with the country's abbreviation.
# Make sure that the hostnames resolve to a proper IP address!
# you want to sync against, comment out the above pool, uncomment
# the next one, and replace CC with the country's abbreviation.
# Make sure that the hostname resolves to a proper IP address!
#
# server 0.CC.pool.ntp.org iburst
# server 1.CC.pool.ntp.org iburst
# server 2.CC.pool.ntp.org iburst
# pool 0.CC.pool.ntp.org iburst
#
# To configure a specific server, such as an organization-wide local
# server, add lines similar to the following. One or more specific
# servers can be configured in addition to, or instead of, any server
# pools specified above. When both are configured, ntpd first adds all
# the specific servers, then adds servers from the pool until the tos
# minclock/maxclock targets are met.
#
#server time.my-internal.org iburst
#
# Security:
@ -40,11 +55,17 @@ server 2.freebsd.pool.ntp.org iburst
# By default, only allow time queries and block all other requests
# from unauthenticated clients.
#
# The "restrict source" line allows peers to be mobilized when added by
# ntpd from a pool, but does not enable mobilizing a new peer association
# by other dynamic means (broadcast, manycast, ntpq commands, etc).
#
# See http://support.ntp.org/bin/view/Support/AccessRestrictions
# for more information.
#
restrict default limited kod nomodify notrap nopeer noquery
restrict -6 default limited kod nomodify notrap nopeer noquery
restrict default limited kod nomodify notrap noquery nopeer
restrict -6 default limited kod nomodify notrap noquery nopeer
restrict source limited kod nomodify notrap noquery
#
# Alternatively, the following rules would block all unauthorized access.
#
@ -65,7 +86,6 @@ restrict -6 default limited kod nomodify notrap nopeer noquery
# The following settings allow unrestricted access from the localhost
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0
#
# If a server loses sync with all upstream servers, NTP clients