OpenNTPd -s no longer works?

[kalleboy]

Under FreeBSD 14.1, I have openntpd installed and in my rc.conf;

ntpd_enable="NO"
openntpd_enable="YES"
openntpd_flags="-s"

However I see in my dmesg outputs;

Sep 7 09:40:52 mybsdb0x ntpd[58854]: -s option no longer works and will be removed soon.
Please reconfigure to use constraints or trusted servers.

That's a new message I guess did not see it before.

So it seems I should remove the -s switch, how to keep my server's time synched all the time, during boot and afterwards with openntpd?

Regards.

 

[RypPn]

ntpd.conf(5) - OpenBSD manual pages

 

[mer]

I've been using openntpd without any extra flags for a long time.
I take the /usr/local/etc/ntpd.conf.sample copy it to ntpd.conf in the same directory and just change the servers line and it works fine.

 

[kalleboy]

FreeBSD Jails and ntpd – Michael W Lucas

^^That's why I preferred openntpd.

A question: If openntpd does not listen on port 123 at all, how come it can communicate with time servers?
Extra question: Should I remove PF pass rule for port 123 if I move to openntpd?

Regards.

 

[mer]

FreeBSD Jails and ntpd – Michael W Lucas

^^That's why I preferred openntpd.

A question: If openntpd does not listen on port 123 at all, how come it can communicate with time servers?
Extra question: Should I remove PF pass rule for port 123 if I move to openntpd?

Regards.

When openntpd is acting as a client (pulling time from another server) it initiates the traffic, which will "keep state" in pf, so the replies are allowed back in.
If you are using your system to serve time, then you would need to have port 123 open.

The article you reference has to do with the default behavior of base ntpd; it will set up a socket on all interfaces except for localhost, listening on port 123. Normally not a problem if you are actually serving time, but if all you want is a client it's overkill. One can modify the base ntpd.conf file to avoid this, but openntpd is a bit easier if all you need is a client.

 

[fernandel]

I've been using openntpd without any extra flags for a long time.
I take the /usr/local/etc/ntpd.conf.sample copy it to ntpd.conf in the same directory and just change the servers line and it works fine.

I have in ntpd.conf and it works (I hope correct):

servers pool.ntp.org
sensor *
constraint from "https://9.9.9.9"

 

[SirDice]

A question: If openntpd does not listen on port 123 at all, how come it can communicate with time servers?

An open port (listen) is for incoming connections, not outgoing. Directionality of a connection is important.

Extra question: Should I remove PF pass rule for port 123 if I move to openntpd?

NTP is a protocol, ntpd(8) and OpenNTPd are simply different implementations that use this protocol. Much like HTTP is a protocol and nginx(8) or httpd(8) are different implementations that can serve that protocol.