# [solved] don't understand ntp.conf

## dpaddy

To have time on my machine be continuously updated, I want to run ntpd (from net-misc/ntp).

My understanding is that running ntpd will make my machine a time server as well as a time client   :Confused: 

/etc/ntp.conf (from net-misc/ntp) sez

```
# Warning: Using default NTP settings will leave your NTP

# server accessible to all hosts on the Internet.
```

Wanting to avoid that,  I uncomment like so

```
# If you want to deny all machines (including your own)

# from accessing the NTP server, uncomment:

restrict default ignore
```

I suppose the comment "(including your own)" implies that if I run ntpd , then my time won't be set or maintained.   :Shocked: 

How to be a client -- so that time can be set and maintained -- without also being a server  :Question: 

My (bleary-eyed) reading of tfm suggests (to my befuddled mind) that: 

leaving things uncommented as above and adding "restrict <my ip address>" to the end of /etc/ntp.conf

```
ifconfig | sed -ne 's/.*inet \([.0-9]*\).*broadcast.*/restrict \1\n/p' >> /etc/ntp.conf 
```

will restore to my machine access to external ntp services but prevent others from accessing my ntpd server. I thought I tried that and I thought it didn't work...  

Should it have worked, and what is the recommended way to be a client -- so that time can be set and maintained -- without also being a server  :Question: Last edited by dpaddy on Fri Apr 14, 2017 4:46 pm; edited 1 time in total

----------

## Roman_Gruber

 *Quote:*   

> ntpd can operate in any of several modes, including symmetric active/passive, client/server broadcast/multicast and manycast, as described in the Association Management page. 

 

http://doc.ntp.org/4.1.0/assoc.htm

just for information => https://wiki.gentoo.org/wiki/Ntp

----------

## Roman_Gruber

```
cat /etc/ntp.conf 

```

 *Quote:*   

> # To allow machines within your network to synchronize
> 
> # their clocks with your server, but ensure they are
> 
> # not allowed to configure the server or used as peers
> ...

 

--

```
ASUS-G75VW roman # qlist -Iv ntp

net-misc/ntp-4.2.8_p10

```

My use case is just a single box. I suggest that you set it up to the external ntp servers. ofc i pointed out above some starting points to get it done

----------

## dpaddy

I don't grock... 

My (perhaps mistaken) understanding is that the modes are not mutually exclusive, moreover 

```
# Pools for Gentoo users

server 0.gentoo.pool.ntp.org

server 1.gentoo.pool.ntp.org

server 2.gentoo.pool.ntp.org

server 3.gentoo.pool.ntp.org
```

 makes my machine a client, whereas by default -- and unless some extra configuration steps are followed -- my machine will simultaneously be a server   :Shocked: 

----------

## Roman_Gruber

 *Quote:*   

> # If you want to deny all machines (including your own)
> 
> # from accessing the NTP server, uncomment:
> 
> #restrict default ignore
> ...

 

Without looking further

restrict ... 

i am quite sure that restrict statement is well documented

--

we are here to give you a hint

when you want to know how it works. read the docs, read the manpage, read the code of the package please.

those example config files may be correct or maybe not, they are just a starting point.

----------

## dpaddy

My (perhaps mistaken) understanding is that *Quote:*   

> # Pools for Gentoo users
> 
> server 0.gentoo.pool.ntp.org
> 
> server 1.gentoo.pool.ntp.org
> ...

  makes my machine a client (of the listed servers), and my machine will continue to be -- unless some other configuration steps are made -- a time server   :Shocked: 

The following *Quote:*   

> # To allow machines within your network to synchronize
> 
> # their clocks with your server, but ensure they are
> 
> # not allowed to configure the server or used as peers
> ...

  is not necessarily about allowing (unless the rule takes precedence over more restrictive rules which would disallow what it does not), but is about restricting the actions that machines in the network 192.168.0.* may perform   :Shocked: 

My initial conjecture in my initial post was an attempt to put the rule "restrict <my ip address>"  in place so that it could take precedence over "restrict default ignore" (since the default mask is 0.0.0.0 which has fewer ones than the implied mask 255.255.255.255 in "restrict <my ip address>") and thereby prevent my machine being denied access.

My (perhaps mistaken) understanding is that it is precisely such logic which is behind *Quote:*   

> # Default configuration:
> 
> # - Allow only time queries, at a limited rate, sending KoD when in excess.
> 
> # - Allow all local queries (IPv4, IPv6)
> ...

 

Should my initial conjecture have worked, and what is the recommended way to be a client -- so that time can be set and maintained -- without also being a server  :Question: 

----------

## Sadako

Perhaps net-misc/openntpd would be a better alternative for you?

Smaller, supposedly more secure codebase, and includes the following option in the config file;

```
# Addresses to listen on (ntpd does not listen by default)

#listen on *
```

Meaning by default it does NOT function as a server as well as a client.

net-misc/ntp may very well support the exact same option, grep /etc/ntp.conf for listen?

----------

## khayyam

 *dpaddy wrote:*   

> Should my initial conjecture have worked, and what is the recommended way to be a client -- so that time can be set and maintained -- without also being a server :?:

 

dpaddy ... under such circumstances all the tools are there for you to check if that conjecture is correct or not:

```
# netstat -tlnp
```

... and otherwise, you should switch to net-misc/openntpd which has the explicit directive "listen". You should also take this thread as an object lesson on the sort of advice Roman_Gruber is likely to supply.

best ... khay

----------

## dpaddy

I was fishing for "what am I missing" or "what is the recommended configuration approach", because I wanted to sharpen my understanding more than get X to work...

Thanx for all the comments, and I'll experiment with netstat   :Wink: 

----------

## The Main Man

Hm, I don't get it, I guess you're not starting ntp-client at boot but ntpd instead.

I mean I guess that's what you want, to just use the client and not the server.

Anyway, in my case with ntp-client server is not started and clock is syncing while with ntpd server is started (clock is syncing too) but the machine is listening on port 123

----------

## khayyam

 *kajzer wrote:*   

> Hm, I don't get it, I guess you're not starting ntp-client at boot but ntpd instead. I mean I guess that's what you want, to just use the client and not the server. Anyway, in my case with ntp-client server is not started and clock is syncing while with ntpd server is started (clock is syncing too) but the machine is listening on port 123

 

kajzer ... ntp-client from net-misc/ntp is just a one time script to get the clock set before ntpd starts (because ntpd will baulk if the time skew is substancial), it won't then keep the clock in sync with the ntp servers/pool. So, it's not running ntpd as a 'client' (meaning, non-serving ntpd), it runs once, sets the clock (if the ntpd server/pool can be reached), and then exits.

best ... khay

----------

## The Main Man

Oh I see now, thanks for clarification.

That actually might be good as well (in my case), if clock is bad on boot it gets synced, or it can be run manually and it will sync.

Though running ntpd with disabled server would be even better  :Smile: 

----------

## khayyam

 *kajzer wrote:*   

> Oh I see now, thanks for clarification. That actually might be good as well (in my case), if clock is bad on boot it gets synced, or it can be run manually and it will sync.

 

kajzer ... you're welcome. Sure, and if you have, say, a laptop that reconnects often then that would work out fine. If the machine is up and connected for months at a time then ntpd (of some sort) would be the better option. 

 *kajzer wrote:*   

> Though running ntpd with disabled server would be even better :)

 

Well, you can:

```
% su -

# for i in ntp{d,-client} ; do rc-update del $i default ; done

# emerge --unmerge net-misc/ntp

# rm -f /etc/{ntpd.conf,{conf.d,init.d}/ntp{d,-client}} 

# emerge net-misc/openntpd

# rc-update add ntpd default

# /etc/init.d/ntpd start

# netstat -tlnp

# netstat -aple | grep ntp
```

You might also use net-misc/ntpclient in place of net-misc/openntpd

best ... khay

----------

## The Main Man

khayyam, interestingly enough I did a new gentoo installation and decided to emerge ntp and use ntp-client on boot, like I did on previous install.

For some reason it didn't want to start on boot, in log I found this error :

```
ntpdate[2938]: name server cannot be used: Temporary failure in name resolution (-3)

/etc/init.d/ntp-client[2920]: ERROR: ntp-client failed to start
```

I'm guessing that's because dhcpd was starting after ntp-client (both dhcpd and ntp-client are on default runlevel), starting the service after boot manually worked fine and clock was adjusting.

I could have played with that and most likely solved it but I went with openntpd instead and that one works just great, no issues at all, plus it's not acting as a server hence it's not showing with netstat  :Smile: 

----------

## khayyam

 *kajzer wrote:*   

> I'm guessing that's because dhcpd was starting after ntp-client (both dhcpd and ntp-client are on default runlevel), starting the service after boot manually worked fine and clock was adjusting. I could have played with that and most likely solved it but I went with openntpd instead and that one works just great, no issues at all, plus it's not acting as a server hence it's not showing with netstat :)

 

kajzer ... yeah, because openntpd will daemonise and so continue to attempt to contact the ntp server/pool, whereas ntp-client runs (ntpdate) once, fails, and exits. You could probably make ntp-client behave by adding the following to /etc/rc.conf or /etc/conf.d/ntp-client

```
rc_dhcpcd_before="ntp-client"
```

or perhaps have it run last (so as to give dhcpcd some time)

```
rc_after="local"
```

... but I guess there is no need in this case.

best ... khay

----------

## The Main Man

Yeah no need in this case, but good to know when something similar happens in the future, wasn't aware of rc_after and rc_before, good stuff !

----------

