Ntpd has evolved considerably in recent years and the handbook has fallen out of date. Notable updates include...
- The sample ntp.conf file in the handbook was a bad example that, if used, would expose the user to potential network attacks or exploits by allowing full query and control access to ntpd. The sample config now contains the restrict options that are considered current best practices for a public-facing ntpd daemon. The config would actually work (and be safe) even if a user just blindly cut and pastes it.
- The new(-ish) ntp.conf 'pool' keyword is featured prominently in the sample, and the existence of the FreeBSD project-sponsored pool is documented.
- Separate subsections now exist for ntp.conf and the rc.conf variables that affect how ntpd runs. The existence and effect of the un-obvious ntpd_oomprotect rc variable is mentioned.
- A new subsection describes running ntpd as the unpriveleged ntpd user. It details how certain configurations can prevent the rc.d script from automatically running ntpd unpriveleged, and describes how to manually configure unpriveleged operation in those cases.
- It now mentions the fact that firewalls need to be configured to pass udp packets on port 123 for ntpd to operate.