Question
freebsd ntp cant connect to time server
I think the problem is ipv6 related.
Aug 3 23:42:26 theranch ntpd[720]: ntpd 4.2.4p5-a (1)
Aug 3 23:42:26 theranch ntpd[721]: bind() fd 22, family AFINET6, port 123, scope 1, addr fe80::601:50ff:fe62:dd01, mcast=0 flags=0x11 fails: Can’t assign requested address
Aug 3 23:42:26 theranch ntpd[721]: unable to create socket on vtnet0 (2) for fe80::601:50ff:fe62:dd01#123
Aug 3 23:42:27 theranch kernel: pid 747 (sshguard), uid 0: exited on signal 10 (core dumped)
Aug 3 23:42:27 theranch ntpd[721]: bind() fd 27, family AFINET6, port 123, scope 1, addr fe80::601:50ff:fe62:dd01, mcast=0 flags=0x11 fails: Can’t assign requested address
Aug 3 23:42:27 theranch ntpd[721]: unable to create socket on vtnet0 (7) for fe80::601:50ff:fe62:dd01#123
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
NTP is working fine on my FreeBSD droplet.
Could you post your
/etc/ntp.conf
?What is the output of
ntpq -p
?Do you have a firewall running?
Well this is weird. My reply didn’t show up. Here we go again.
It looks like I am connected. The UK server doesn’t make much sense for San Francisco use, but that is something to change later.
ntpq -p
==============================================================================
+ntp1.adacor.com 130.133.1.10 2 u 826 1024 377 168.683 -3.409 6.231
+log1.nierle.com 235.106.237.243 3 u 558 1024 377 160.756 1.594 1.845
*ns0.luns.net.uk 33.117.170.50 2 u 556 1024 377 142.496 1.270 0.168
I added the “-4”, but otherwise stock.
cat ntp.conf
$FreeBSD: releng/10.1/etc/ntp.conf 259974 2013-12-27 23:09:40Z delphij $
Default NTP servers for the FreeBSD operating system.
Don’t forget to enable ntpd in /etc/rc.conf with:
ntpd_enable=“YES”
The driftfile is by default /var/db/ntpd.drift, check
/etc/defaults/rc.conf on how to change the location.
The following three servers will give you a random set of three
NTP servers geographically close to you.
See http://www.pool.ntp.org/ for details. Note, the pool encourages
users with a static IP and good upstream NTP servers to add a server
to the pool. See http://www.pool.ntp.org/join.html if you are interested.
The option `iburst’ is used for faster initial synchronization.
server -4 0.freebsd.pool.ntp.org iburst
server -4 1.freebsd.pool.ntp.org iburst
server -4 2.freebsd.pool.ntp.org iburst
server -4 3.freebsd.pool.ntp.org iburst
If you want to pick yourself which country’s public NTP server
you want sync against, comment out the above servers, uncomment
the next ones and replace CC with the country’s abbreviation.
Make sure that the hostnames resolve to a proper IP address!
server 0.CC.pool.ntp.org iburst
server 1.CC.pool.ntp.org iburst
server 2.CC.pool.ntp.org iburst
Security:
By default, only allow time queries and block all other requests
from unauthenticated clients.
See http://support.ntp.org/bin/view/Support/AccessRestrictions
for more information.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
Alternatively, the following rules would block all unauthorized access.
restrict default ignore
restrict -6 default ignore
In this case, all remote NTP time servers also need to be explicitly
allowed or they would not be able to exchange time information with
this server.
Please note that this example doesn’t work for the servers in
the pool.ntp.org domain since they return multiple A records.
restrict 0.pool.ntp.org nomodify nopeer noquery notrap
restrict 1.pool.ntp.org nomodify nopeer noquery notrap
restrict 2.pool.ntp.org nomodify nopeer noquery notrap
The following settings allow unrestricted access from the localhost
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0
If a server loses sync with all upstream servers, NTP clients
no longer follow that server. The local clock can be configured
to provide a time source when this happens, but it should usually
be configured on just one server on a network. For more details see
http://support.ntp.org/bin/view/Support/UndisciplinedLocalClock
The use of Orphan Mode may be preferable.
server 127.127.1.0
fudge 127.127.1.0 stratum 10
======================
FIrewall is ipfw.
ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 check-state
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state
01400 allow udp from me to any keep-state
01500 allow icmp from me to any keep-state
01600 allow ipv6-icmp from me to any keep-state
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
01800 allow udp from any 67 to me dst-port 68 in
01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
02000 allow udp from fe80::/10 to me dst-port 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any ip6 icmp6types 3
02500 allow tcp from any to me dst-port 22
02600 allow tcp from any to me dst-port 443
02700 allow tcp from any to me dst-port 80
02800 allow tcp from any to me dst-port 500
02900 allow tcp from any to me dst-port 4500
65000 count ip from any to any
65100 allow log udp from any to any dst-port 500 keep-state
65200 allow log udp from any 500 to any keep-state
65300 allow log udp from any to any dst-port 4500 keep-state
65400 allow log udp from any 4500 to any keep-state
65500 deny { tcp or udp } from any to any dst-port 135-139,445 in
65500 deny { tcp or udp } from any to any dst-port 1026,1027 in
65500 deny { tcp or udp } from any to any dst-port 1433,1434 in
65500 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any dst-port 520 in
65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
65500 deny log logamount 500 ip from any to any
65535 deny ip from any to any