1*291c1d37Skim# $NetBSD: ntp.conf,v 1.23 2021/10/28 07:24:40 kim Exp $ 261380553Sfair# 3fe135103Sfredb# NetBSD default Network Time Protocol (NTP) configuration file for ntpd 461380553Sfair 50eb4e5c6Sfredb# This file is intended to be both a usable default, and a Quick-Start 60eb4e5c6Sfredb# Guide. The directives and options listed here are not at all complete. 7a5a4385fSreed# A great deal of additional documentation, including links to FAQS and 80eb4e5c6Sfredb# other guides, may be found on the official NTP web site, in particular 90eb4e5c6Sfredb# 100eb4e5c6Sfredb# http://www.ntp.org/documentation.html 110eb4e5c6Sfredb 1261380553Sfair# Process ID file, so that the daemon can be signalled from scripts 1361380553Sfair 14dfbbad05Ssimonbpidfile /var/run/ntpd.pid 1561380553Sfair 16d4635ea5Skim# Don't give up even if the reference time is hugely different. This can 17d4635ea5Skim# happen if the system was suspended and resumed. 18d4635ea5Skim 19d4635ea5Skim#tinker panic 0 20d4635ea5Skim 21dfbbad05Ssimonb# The correction calculated by ntpd(8) for the local system clock's 22fe135103Sfredb# drift is stored here. 2361380553Sfair 2461380553Sfairdriftfile /var/db/ntp.drift 2561380553Sfair 26fe135103Sfredb# Suppress the syslog(3) message for each peer synchronization change. 2761380553Sfair 2861380553Sfairlogconfig -syncstatus 2961380553Sfair 3018539cc7Sapb# Refuse to set the local clock if there are too few good peers or servers. 3118539cc7Sapb# This may help minimize disruptions due to network congestion. Don't 3254d0d4cdSfredb# do this if you configure only one server! 3354d0d4cdSfredb 3454d0d4cdSfredbtos minsane 2 3554d0d4cdSfredb 36d4635ea5Skim# Set the target and limit for adding servers configured via pool statements 37d4635ea5Skim# or discovered dynamically via mechanisms such as broadcast and manycast. 38d4635ea5Skim# Ntpd automatically adds maxclock-1 servers from configured pools, and may 39d4635ea5Skim# add as many as maxclock*2 if necessary to ensure that at least minclock 40d4635ea5Skim# servers are providing good consistent time. 41d4635ea5Skim 42d4635ea5Skimtos minclock 3 maxclock 6 43d4635ea5Skim 4460494fecSchristos# Set the number of tries to register with mdns. 0 means never 45d4635ea5Skim 4660494fecSchristosmdnstries 0 4760494fecSchristos 48664c0126Schristos# New ntpd disables the ntpdc protocol by default, to re-enable uncomment 49664c0126Schristos# the following line 50d4635ea5Skim 51664c0126Schristos#enable mode7 52664c0126Schristos 53d4635ea5Skim# Allow hasty ntpdate clients to avoid rate limiting / kod responses. 54d4635ea5Skim# The default is 2 seconds between packets from the client. 55d4635ea5Skim 56d4635ea5Skim#discard minimum 1 57d4635ea5Skim 5890bc5132Sapb# Access control restrictions. 5990bc5132Sapb# See /usr/share/doc/html/ntp/accopt.html for syntax. 6090bc5132Sapb# See <http://support.ntp.org/bin/view/Support/AccessRestrictions> for advice. 6190bc5132Sapb# Last match wins. 6290bc5132Sapb# 6390bc5132Sapb# Some of the more common keywords are: 6490bc5132Sapb# ignore Deny packets of all kinds. 65d4635ea5Skim# limited Deny time service if the packet violates the rate limits 66d4635ea5Skim# established by the discard command. Does not affect ntpq or 67d4635ea5Skim# ntpdc queries. 68d4635ea5Skim# kod Send "kiss-o'-death" packets if clients exceed rate limits. 69*291c1d37Skim# No effect without the limited flag. 70d4635ea5Skim# nomodify Deny attempts to modify the state of the server via ntpq or 71d4635ea5Skim# ntpdc queries. 7290bc5132Sapb# noquery Deny all ntpq and ntpdc queries. Does not affect time 7390bc5132Sapb# synchronisation. 74da30b9dcSapb# nopeer Prevent establishing new peer associations. 75da30b9dcSapb# Does not affect peers configured using "peer" lines. 7690bc5132Sapb# Does not affect client/server time synchronisation. 7790bc5132Sapb# noserve Deny all time synchronisation. Does not affect ntpq or 7890bc5132Sapb# ntpdc queries. 7990bc5132Sapb# notrap Deny the trap subset of the ntpdc control message protocol. 8090bc5132Sapb# notrust Deny packets that are not cryptographically authenticated. 8190bc5132Sapb# 82da30b9dcSapb# By default, allow client/server time exchange without prior 83da30b9dcSapb# arrangement, but deny configuration changes, queries, and peer 84da30b9dcSapb# associations that were not explicitly configured. 85d4635ea5Skim 86d4635ea5Skimrestrict default limited kod nomodify notrap nopeer noquery 87d4635ea5Skim 88d4635ea5Skim# Restrictions used for associations (peer, server, pool). 89d4635ea5Skim 90d4635ea5Skimrestrict source nomodify notrap noquery 9190bc5132Sapb 9290bc5132Sapb# Fewer restrictions for the local subnet. 9390bc5132Sapb# (Uncomment and adjust as appropriate.) 94d4635ea5Skim 95d4635ea5Skim#restrict 192.0.2.0 mask 255.255.255.0 limited kod nomodify notrap nopeer 96d4635ea5Skim#restrict 2001:db8:: mask ffff:ffff:: limited kod nomodify notrap nopeer 9790bc5132Sapb 9890bc5132Sapb# No restrictions for localhost. 99d4635ea5Skim 10090bc5132Sapbrestrict 127.0.0.1 10190bc5132Sapbrestrict ::1 10290bc5132Sapb 103d4635ea5Skim# Hereafter should be "server", "peer", or "pool" statements to configure 104d4635ea5Skim# other hosts to exchange NTP packets with. 10561380553Sfair# 10618539cc7Sapb# See <http://support.ntp.org/bin/view/Support/DesigningYourNTPNetwork> 10718539cc7Sapb# and <http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers> 10818539cc7Sapb# for advice. 10918539cc7Sapb# 110da30b9dcSapb# Peers or servers should be selected in such a way that the network 111da30b9dcSapb# path to them is short, uncongested, and symmetric (that is, the series 112da30b9dcSapb# of links and routers used to get to the peer is the same one that 113da30b9dcSapb# the peer uses to get back). The best place to start looking for NTP 114da30b9dcSapb# peers for your system is within your own network, or at your Internet 115da30b9dcSapb# Service Provider (ISP). 11661380553Sfair# 117fe135103Sfredb# Ideally, you should select at least three other systems to talk NTP 118fe135103Sfredb# with, for an "what I tell you three times is true" effect. 11961380553Sfair 12022099365Skim#peer an.ntp.peer.goes.here iburst 12122099365Skim#server an.ntp.server.goes.here iburst 122fdc3c14eSagc 12318539cc7Sapb# The pool.ntp.org project coordinates public time servers provided by 12418539cc7Sapb# volunteers. See <http://www.pool.ntp.org>. The *.netbsd.pool.ntp.org 125d4635ea5Skim# servers are intended to be used by default on NetBSD hosts. 126d4635ea5Skim# 127d4635ea5Skim# The following pool statement will give you a random set of NTP servers 128d4635ea5Skim# geographically close to you. A single pool statement adds multiple 129d4635ea5Skim# servers from the pool, according to the tos minclock/maxclock targets. 130d4635ea5Skim# The "2" host is used to obtain both IPv4 and IPv6 addresses. 13118539cc7Sapb# 13244d9f578Sfredb# The pool.ntp.org project needs more volunteers! The only criteria to 13344d9f578Sfredb# join are a nailed-up connection and a static IP address. For details, 134d4635ea5Skim# see the web page <http://www.pool.ntp.org/join.html> 135fdc3c14eSagc 136d4635ea5Skimpool 2.netbsd.pool.ntp.org iburst 137