NTP¶
The NTP service is a Network Time Protocol (NTP) daemon which will listen for requests from clients and allow them to synchronize their clock with that of the DefenseBolt firewall. By running a local NTP server and using it for local clients, it reduces the load on the lower-stratum servers and can ensure that local systems can always reach a time server. Before delegating this task to a firewall running DefenseBolt, the best practice is to ensure that the firewallhas an accurate clock and keeps time reasonably.
NTP and IPv6
The NTP Project daemon fully supports IPv6 as aclient and a server.
NTP Server Configuration To configure the NTP Server:
- Navigate to Services > NTP
Setting¶
- Configure the settings as follows:
Interface
Select the interface(s) to use for NTP. The NTPdaemon binds to all interfaces by default to receive replies properly. This may be minimized by selecting at least one interface to bind, but that interface will also be used to source the NTP queries sent out to remote servers, notonly to serve clients. Deselecting all interfaces is the equivalent of selecting all interfaces.
Time Servers A list of servers to query inorder to keep the clock of this firewall synchronized. This list is initially pulled from the entries under System > General Setup. For best results, we recommend using at least three servers, but no more than five. Click pluse Addto configured additional time servers.
Prefer When checked, this NTP server entryis favored by the NTP daemon over others.
No Select When checked, this NTP server isnot used for time synchronization, but only to display statistics.
Orphan Mode Orphan mode uses the system clock when no other clocks are available, otherwise clients will not receive a response when other servers are unreachable. The value entered here is the stratum used for Orphan Mode, and istypically set high enough that live servers are preferred. The default value is 12.
NTP Graphs Check to enable RRD graphs for NTP server statistics.
Logging When logging options are active, NTP logs are written using syslog and may be found under Status > System Logs, on the NTP tab.
Log Peer Messages When checked, NTP will log messages about peer events, information, andstatus.
Log System Messages When checked, NTP willlog messages about system events, information, and status.
Statistics Logging Click setting Show Advanced to view these options. When enabled, NTP will create persistent daily log files in /var/log/ntp to keep statistics data. The format of the statistics records in the log files can be found in the ntp.conf man page
Log reference clock statistics When checked, NTP records clock driver statistics on each update.
Log clock discipline statistics When checked, NTP records loop filter statistics on each update of the local clock.
Log NTP Peer Statistics When checked, NTP records statistics for all peers of the NTP daemon, along with special signals.
Leap Seconds Click setting Show Advanced to view these options. Defines the contents of the Leap Second file, used by NTP to announceupcoming leap seconds to clients. This is typically used only by stratum 1 servers. The exactformat of the file may be found on the IETF leap second list
- Click Save
Acls¶
Access restrictions (ACLs) are configured on the ACL tab under Services > NTP. These ACLs control how NTP interacts with clients.
Default Access Restrictions Control behavior for all clients by default.
Kiss-o’-Death When set, NTP will send a KoD packet when an access violation occurs. Such packets are rate limited and no more than one per second will be sent.
Modifications When set, ntpq and ntpdc queries that attempt to change the configuration of the server are denied, but informational queries are returned.
Queries When set, all queries from ntpq and ntpdc are denied.
Warning
Setting this will effectively disable the NTP status page, which relies on ntpq.
Service When set, NTP will deny all packets except queries from ntpq and ntpdc.
Peer Association When set, NTP denies packets that would result in a new peer association, including broadcast and symmetric active packets for peers without an existing association.
Trap Service When set, NTP will not provide mode 6 control message trap service, used for remote event logging.
Custom Access Restrictions Defines the behavior for specific client addresses or subnets.Click pluse Add to add a new network definition.
Network/mask The subnet and mask to define the client controlled by the restrictions in this entry.
Restrictions The option names are abbreviated versions of those in the default list, in the same order.
Click Save to store the ACLs.
Serial GPS¶
If this firewall has an available serial port, a Serial GPS may be used to provide a referenceclock for the firewall. If the GPS also supports a Pulse Per Second (PPS) signal, that may also be used as a PPS clock reference.
Warning
USB GPS units may function, but we do not recommend their use due to USB timing issues. The overhead of USB makes its unreliable as a clock or timing source.
For best results, we recommend configuring at least two NTP servers under System > General Setup or Services > NTP to avoid loss of sync if the GPS data is not valid over time. Otherwise the NTP daemon may only use values from the unsynchronized local clock when providing time to clients.
To configure a GPS for use by NTP:
- Navigate to Services > NTP
- Click the Serial GPS tab
- Configure the settings as follows:
GPS Type Select the make and model of the GPS unit. If the model is unknown, use the Default choice. If the model is known but not listed, use Custom.
Serial Port All serial ports detected on the firewall are listed. Select the port with the GPS attached. On-board hardware serial ports start with cuau, USB serial ports are prefixed with cuaU.
Baud Rate Enter the serial speed for the GPS, typically a low value such as 4800.
NMEA Sentences By default, NTP will listenfor all supported NMEA sentences. To limit thisto specific types, select them from the list.
Fudge Time 1 Specifies a constant to be added to the GPS PPS signal as an offset.
Fudge Time 2 Specifies a constant to be added to the GPS time as an offset.
Stratum Used to configure the stratum of the GPS clock. The default value is 0 so the GPSis preferred over all others. If another clock must be preferred instead, set the stratum value higher than the stratum of the preferred clock.
Flags These options provide additional tweaks to fine-tune the GPS behavior:
Prefer this clock Marks the reference clock as preferred by NTP.
Do not use this clock Prevents the clock from being used by NTP for time synchronization, it is only displayed for reference.
PPS signal processing Enables processing of the Pulse Per Second (PPS) signal in the GPS driver. Only enable this if the GPS is known tooutput a usable PPS signal.
Falling edge PPS signal processing When set, the falling edge of the PPS signal is used for timing, rather than the rising edge.
Kernel PPS clock discipline When set, the OS Kernel will use PPS directly for timing.
Obscure location in timestamp Obscures theGPS data so the location of the clock cannot bedetermined.
Log the sub-second fraction of the received time stamp When checked, this can rapidly fill the log, but can be useful for fine tuning of Fudge Time 2.
Clock ID A 1-4 character identifier used to change the GPS Clock ID. The default value is GPS.
GPS Initialization Contains the initialization string sent to the GPS at start up to configure its behavior. When using the Custom GPS type, a proper initialization string for the GPSmust be entered manually.
NMEA Checksum Calculator Calculates a checksum for use when crafting new GPS Initializa- tion values or adjusting existing values.
- Click Save
PPS Source (Non-GPS)¶
A non-GPS PPS Source, such as a radio, may also be used for clock timing. It cannot be used for synchronization since there is no time data, but it can be used to ensure a clock ticks accurately.
To configure a Non-GPS PPS source:
- Navigate to Services > NTP
- Click the PPS tab
- Configure the settings as follows:
Serial Port All serial ports detected on the firewall are listed. Select the port with the GPS attached. On-board hardware serial ports start with cuau, USB serial ports are prefixed with cuaU.
Fudge Time 1 Specifies a constant to be added to the PPS signal as an offset, to account for delay between the transmitter and receiver.
Stratum Used to configure the stratum of the PPS source. The default value is 0 so the PPS source is preferred over all others. If another clock must be preferred instead, set the stratum value higher than the stratum of the preferred clock.
Flags
Falling edge PPS signal processing When set, the falling edge of the PPS signal is used for timing, rather than the rising edge.
Kernel PPS clock discipline When set, the OS Kernel will use PPS directly for timing.
Record a timestamp Record a timestamp oncefor each second, which is useful for constructing Allan deviation plots.
Clock ID A 1-4 character identifier used to change the PPS Clock ID. The default value is PPS.
- Click Save
The NTP status page shows the status of each NTP peer server. This status page can be found at Status > NTP. An example of the status
The status screen contains one line for every peer, and lists the peer IP address or server ID, the reference clock ID for the peer and various other values that indicate the general quality of the NTP server from the perspective of this firewall. The first column is the most useful, as it indicates which peer is currently the active peer for time sync, which servers are potential candidates to be peers, and which servers have been rejected and why.
If a serial GPS is connected and configured, the coordinates reported by the GPS device are also listed, along with a link to the coordinates on Google Maps.
Note
The quality of GPS data can vary widely depending on the signal level, the GPS device, and how it is connected. Traditional serial ports are higher quality and better suited to GPS clock usage. USB serial GPS units may be acceptable, but due to how USB functions, the timing of signals cannot be guaranteed the way it can be with a traditional hard-wired serial port.