[CLUE-Tech] NTP Questions
Ed Hill
ed at eh3.com
Sat Jan 12 13:36:35 MST 2002
On Sat, 2002-01-12 at 12:00, Jeremiah Stanley wrote:
> > So after some research, it turned out that (1) more-aggressive firewall
> > rules (RH 7.2 default) were blocking the ntp protocol and (2) some of
> > the ntp servers that I was using have changed their policies so they
> > would not respond. I added the following to /etc/sysconfig/ipchains:
> >
> > # Add ntp-protocol client support
> > -A output -j ACCEPT -p udp -d 0/0 ntp
> > -A input -j ACCEPT -p udp -s 0/0 ntp
> >
> > and then added open-access (stratum 2) clock servers from www.ntp.org to
> > /etc/ntp.conf and it seems to be working just fine now.
> >
> > Hope someone else finds this info useful...
>
> Could you post your config file for us to take a look at as well?
Heres my /etc/ntp.conf and all i did was comment out the local clock and
add the utcnist.colorado.edu entry (which has an open usage policy for
anyone inside CO). The other commented-out servers are reasonably
near-by and also have open access policies.
I do *not* claim to understand the use of ntp keys and SSL auth, etc.
There may be security or other problems with this config file and I'd be
happy to be corrected. I think it'd be cool if someone could give quick
ntp-howto (covering security issues) talk at an upcoming meeting...
Ed
=== BEGIN ===
#This file was generated by dateconfig
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
# server 127.127.1.0 # local clock
# fudge 127.127.1.0 stratum 10
server utcnist.colorado.edu
# navobs1.usnogps.navy.mil
# server clock1.unc.edu
# tick.cs.unlv.edu
# tock.cs.unlv.edu
# ntp1.cs.wisc.edu
#
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /etc/ntp/drift
multicastclient # listen on default 224.0.1.1
broadcastdelay 0.008
#
# Authentication delay. If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
authenticate no
#
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
#keys /etc/ntp/keys
=== END ===
--
Edward H. Hill III, PhD
Post-Doctoral Researcher | Email: ed at eh3.com, ehill at mines.edu
Division of ESE | URL: http://www.eh3.com
Colorado School of Mines | Phone: 303-273-3483
Golden, CO 80401 | Fax: 303-273-3311
GnuPG Key ID: 1E76F123 | Public key: http://www.eh3.com/eh3.gpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://cluedenver.org/pipermail/clue-tech/attachments/20020112/a586eecc/attachment.bin
More information about the clue-tech
mailing list