Bug #4463


Fix the NTPD Access Restrictions / and other NTPD related issues, including GPS

Added by Andrew Stuart over 9 years ago. Updated about 8 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


Access Restrictions once open says "these options control access to NTP from the WAN."
This is incorrect.

It sets the default for all interfaces.
Thus enabling " Enable Kiss-o'-death packets" | "Deny packets that attempt a peer association" result in clients not being able to get a valid time, instead getting "no server suitable for synchronization found" and with debugging "Server dropped: strata too high"
"stratum 16, precision -6, leap 11, trust 000"

Since these options are enabled by default, it would appear all fresh pfSense installs are broken by default.

This should be either fixed to do what it says, or changed to specify it is the defaults for all interfaces, and the options relaxed to allow clients to connect. Better yet, change it to be the default for all interfaces, and explicitly set rules for the lan interface / allow custom rules to be added.

Specifically, unsetting the above two options results in a working configuration on 4 different boxes that were working prior to 2.2. (one being a fresh reinstall)
after changes ntpd.conf looks like:
restrict default nomodify notrap
restrict -6 default nomodify notrap

default options checked:
restrict default kod limited nomodify nopeer notrap
restrict -6 default kod limited nomodify nopeer notrap

btw it would seem there is a lot of issues with the gui on 2.2 with firefox/chrome at least with NTPD, not restoring selected items after save, such as the serial port speed on gps / NMEA sentences, etc. I'm wondering if it has to do with the doctype and using selected="selected" instead of just selected. I haven't had a chance to test it. I also saw this in other places on 2.2 but didn't make notes.

Lastly, I wonder where the garmin Initialization sentences came from. $PGRMC,,,,,,,,,,3,,2,8*5E appears to be off. my reference shows there are 14 options to that, only 13 are specified. Nothing notes whether or not this is acceptable, and I haven't tried to see if it causes an error. also options 12 and 13 are not used, yet specified. see:

The default $PGRMO sentence turns on ALL sentences, but then you specifically set $PGRMO,GPRMC,1*3D
and a few others, which seems redundant. I wonder if $PGRMO was meant to be set to $PGRMO,,2*75 which turns off all sentences. and then explicitly turn on the few sentences that you have there by default.

(don't forget, the cake is a lie)


Also available in: Atom PDF