set up NTP - NTP

This is a discussion on set up NTP - NTP ; Hello, I have 2 Solaris 10 servers and want them to be the office's NTP servers. I understood that there are what we call stratum servers. What should I install on my servers? thank you...

+ Reply to Thread
Results 1 to 12 of 12

Thread: set up NTP

  1. set up NTP

    Hello,

    I have 2 Solaris 10 servers and want them to be the office's NTP servers.

    I understood that there are what we call stratum servers.

    What should I install on my servers?

    thank you

  2. Re: set up NTP

    Melanie Pfefer wrote:
    > Hello,
    >
    > I have 2 Solaris 10 servers and want them to be the office's NTP servers.
    >
    > I understood that there are what we call stratum servers.
    >
    > What should I install on my servers?
    >
    > thank you


    Solaris ships with an ANCIENT version of ntpd. You can use that if you
    wish. You can also download the source for the latest version and build
    it. The newer version offers more features, maybe some fixes.

    You will need to create a configuration file that tells ntpd which
    servers to use, whether or not to insist on cryptographic
    authentication, and a bunch of other fun stuff.

    The expression "stratum servers" is not, AFAIK, used anywhere in the NTP
    world. Each system running ntpd operates at a particular stratum.
    Stratum one servers have a direct connection to an atomic clock.
    Stratum two servers get time from stratum one servers, stratum three
    from stratum two and so on. Stratum is best understood as the number of
    "hops" from the atomic clock at the root of the tree to your system.

    Stratum has little or nothing to do with accuracy; the last NTP survey
    found a server claiming to be stratum one that didn't even have the
    correct year!

  3. Re: set up NTP

    On 2008-11-05, Melanie Pfefer wrote:

    > I have 2 Solaris 10 servers and want them to be the office's NTP servers.
    >
    > I understood that there are what we call stratum servers.
    >
    > What should I install on my servers?


    NTP

    http://www.ntp.org/downloads.html
    http://support.ntp.org/download
    http://archive.ntp.org/ntp4/

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/


  4. ntp ports

    Hi

    What ports need to be opened if my ntp servers are inside a firewall?

    thank you

  5. Re: ntp ports

    > Date: Sun, 9 Nov 2008 10:49:15 +0000 (GMT)
    > From: Melanie Pfefer
    > Sender: questions-bounces+oberman=es.net@lists.ntp.org
    >
    > Hi
    >
    > What ports need to be opened if my ntp servers are inside a firewall?

    123/udp
    --
    R. Kevin Oberman, Network Engineer
    Energy Sciences Network (ESnet)
    Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
    E-mail: oberman@es.net Phone: +1 510 486-8634
    Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751

  6. Re: ntp ports

    Melanie Pfefer wrote:
    > Hi
    >
    > What ports need to be opened if my ntp servers are inside a firewall?
    >
    > thank you


    Port 123. But only if you need to query outside servers or serve time
    to systems outside the firewall. If you purchase and install a hardware
    reference clock, such as a GPS timing receiver, you can dispense with
    access to servers outside the firewall. This is an option reserved for
    the utterly paranoid! Normally you would use one or more outside
    servers as a backup and sanity check.

  7. Re: ntp ports

    On 2008-11-10, Kevin Oberman wrote:

    > Melanie Pfefer wrote:
    >
    >> What ports need to be opened if my ntp servers are inside a firewall?

    >
    > 123/udp


    ntpd communicates with other ntpds via port 123/UDP (as both the source
    and destination port).

    If you are using a statefull firewall ( or are behind NAT) and do not
    need to make your ntpd pulically accessible you should not have to do
    anything to allow ntpd to work.

    If your firewall is not "statefull", or you wish to make your ntpd
    publically accesible, you need to allow both incoming and outgoing
    connections via port 123/udp.

    --
    Steve Kostecke
    NTP Public Services Project - http://support.ntp.org/

  8. Re: ntp ports

    Richard B. Gilbert wrote:
    > Melanie Pfefer wrote:
    >> Hi
    >>
    >> What ports need to be opened if my ntp servers are inside a firewall?
    >>
    >> thank you

    >
    > Port 123. But only if you need to query outside servers or serve time
    > to systems outside the firewall. If you purchase and install a hardware
    > reference clock, such as a GPS timing receiver, you can dispense with
    > access to servers outside the firewall. This is an option reserved for
    > the utterly paranoid! Normally you would use one or more outside
    > servers as a backup and sanity check.


    I have three inhouse GPS receivers, in three separate cities. Each city
    has two FreeBSD-based ntp servers, one of which is currently connected
    to the local GPS, but the other is pre-configured so that in case of a
    primary server crash, the serial cable can be moved over.

    All six servers are also configured to use each other as a reference,
    but since any ntp server will disregard other servers at the same
    stratum level, the effect is that the primaries use their GPS clock and
    the secondaries use the 3 primary servers.

    All of them will also use 3 external servers as backup, just in case. :-)
    (No other systems are allowed to use port 123 through the firewalls,
    while the primary servers have no other open ports at all, except for
    SSH from one of two corporate admin machines.)

    All other servers use all six of these S1/S2 primary servers as references.

    Terje
    --
    -
    "almost all programming can be viewed as an exercise in caching"

  9. Re: ntp ports


    >I have three inhouse GPS receivers, in three separate cities. Each city
    >has two FreeBSD-based ntp servers, one of which is currently connected
    >to the local GPS, but the other is pre-configured so that in case of a
    >primary server crash, the serial cable can be moved over.


    What sort of GPS units are you using?

    Many of them talk without asking once you get them setup correctly.
    You can run those through a line buffer/splitter and drive several
    ntp servers at the same time.

    --
    These are my opinions, not necessarily my employer's. I hate spam.


  10. Re: ntp ports

    Hal Murray wrote:
    >> I have three inhouse GPS receivers, in three separate cities. Each city
    >> has two FreeBSD-based ntp servers, one of which is currently connected
    >> to the local GPS, but the other is pre-configured so that in case of a
    >> primary server crash, the serial cable can be moved over.

    >
    > What sort of GPS units are you using?


    These are the integrated Oncore 12-channel timing receivers, phk had an
    array of them on his shack at one point:

    http://phk.freebsd.dk/raga/

    >
    > Many of them talk without asking once you get them setup correctly.
    > You can run those through a line buffer/splitter and drive several
    > ntp servers at the same time.
    >


    The Oncore receivers require a polling command to be sent every second,
    so in theory you could do it by only connecting the TX line from one of
    the servers, but this would only work if the servers were perfectly in
    sync, since the driver goes through several initialization stages on
    startup.

    Connecting just the PPS signal would have worked, but it really doesn't
    matter:

    It is more important that I also have a few more unofficial S1 servers,
    in the form of a home-made Garmin 18, a US-based CDMA cellphone unit,
    three black box units (three models from two different vendors).

    My DFC-77 clock in Germany is unfortunately not in operation. :-(

    Terje

    --
    -
    "almost all programming can be viewed as an exercise in caching"

  11. Re: ntp ports

    Steve Kostecke wrote:

    > If you are using a statefull firewall ( or are behind NAT) and do not
    > need to make your ntpd pulically accessible you should not have to do
    > anything to allow ntpd to work.


    Well, at least you would have to allow outbound 123/udp...

    N

+ Reply to Thread