10.6. NTP

The Network Time Protocol (NTP) is used for synchronizing system time with reliable time servers over the Internet. The synchronization is performed by a dedicated service, the NTP daemon (ntpd). The configuration file of ntpd is the /etc/ntp.conf file. The ntp.conf configuration file is read at initial startup by the NTP daemon in order to specify the synchronization sources, modes and other related information.

Unlike the system logging and network configuration files, ntp.conf does not have a manual page in the default installation of Zorp. However, there are many useful sources available on NTP, see for details Chapter 9, Native services, the website of NTP protocol/service link in Appendix C, Further readings, RFC 1305 on NTP version 3, and the manual page of ntp.conf for accessing it on other Unix/Linux installations or on the Internet.

NTP itself can have a very sophisticated configuration with, for example, public key authentication, access control, or extensive monitoring options. At the very minimum, define a time server with which the firewall can synchronize time (the server key).

Add the following line in the configuration file.

server 10.20.30.40

Note

If more than one timeserver is supplied, the system time is more accurate, because during a time update all the listed servers are queried and a special algorithm selects the best (most accurate) of them.

Additionally, since Zorp can be used as an authentic time source for the network, you can limit the number of concurrent client connections using the clientlimit key, and you can set a minimum time interval a client can synchronize time with the firewall using the clientperiod key.

After editing and saving the ntp.conf file manually, restart the service by running the /etc/init.d/ntp script with the restart argument. NTP can be chrooted as well, in which case the place of the configuration file is /var/chroot/ntp/etc/. The configuration can be edited here directly or else the original configuration file can also be used. In the latter case the jailer script updates the configuration inside the chrooted (jailed) environment. The jailer update process involves the following three steps:

  1. The original configuration file is modified.

  2. Jailer is run.

  3. The process (daemon) is restarted.

If ZMC is used for system configuration, the configuration files are automatically created inside the chrooted environment, so no special intervention is needed.

This method for updating jailed environments is the same for all other daemons that are to be jailed under Zorp, such as ISC BIND 9.

System time is updated with the ntpdate command. Run the command as root, as usually from a system startup script so that system time gets adjusted during bootup. You can run the command manually, if needed.