Hello! I hope this is the right list for this question. In FreeBSD 8.2, how do I make ntpd not open any IPv6 ports? I have searched man pages and google, but haven't found the answer. Some ntpd have the command line option -4, but that doesn't seem to be the case with FreeBSD ntpd. The server runs IPv6, but ntpd will only ever be used with IPv4 servers, so I don't want any unnecessary open IPv6 ports for ntpd. "Use restrict" or "Use a firewall" is not the answer. I just don't want this junk in netstat -an: udp6 0 0 fe80:3::1.123 *.* udp6 0 0 ::1.123 *.* udp6 0 0 x:x:x:x.123 *.* udp6 0 0 fe80:2::219:bbff.123 *.* udp6 0 0 fe80:1::219:bbff.123 *.* udp6 0 0 *.123 *.* Thanks! -- Peter Olsson pol@leissner.se
On Tue, Oct 04, 2011 at 10:37:43PM +0200, Peter Olsson wrote:> Hello! > > I hope this is the right list for this question. > In FreeBSD 8.2, how do I make ntpd not open any > IPv6 ports? I have searched man pages and google, > but haven't found the answer. Some ntpd have the > command line option -4, but that doesn't seem to > be the case with FreeBSD ntpd. > > The server runs IPv6, but ntpd will only ever be used > with IPv4 servers, so I don't want any unnecessary > open IPv6 ports for ntpd. > > "Use restrict" or "Use a firewall" is not the answer. > I just don't want this junk in netstat -an: > udp6 0 0 fe80:3::1.123 *.* > udp6 0 0 ::1.123 *.* > udp6 0 0 x:x:x:x.123 *.* > udp6 0 0 fe80:2::219:bbff.123 *.* > udp6 0 0 fe80:1::219:bbff.123 *.* > udp6 0 0 *.123 *.*All our systems are built with WITHOUT_INET6=true in /etc/src.conf, which (mostly, not entirely) removes IPv6 from most base system bits. We also remove the "INET6" option in our kernel configs. This works for ntpd, but only "functionally" works for rpcbind (I say "functionally" because it still spits out "cannot get information for {udp6,tcp6} when starting, but obviously does not bind to IPv6. I believe I have an open PR on this matter). Otherwise, to my knowledge, there is no way to make ntpd not bind to everything it finds. If you're wanting IPv6 support but want to exclude some daemons from binding or utilising IPv6, you're out of luck. It's extremely hit-or-miss on FreeBSD (mostly miss). The only alternative is to use pf(4) to block inbound IPv6 packets to port 123. This won't stop ntpd from talking to IPv6 peers, but would stop people from talking to it, if that's what you're trying to solve. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |
On 04/10/2011 21:37, Peter Olsson wrote:> I hope this is the right list for this question. > In FreeBSD 8.2, how do I make ntpd not open any > IPv6 ports? I have searched man pages and google, > but haven't found the answer. Some ntpd have the > command line option -4, but that doesn't seem to > be the case with FreeBSD ntpd. > > The server runs IPv6, but ntpd will only ever be used > with IPv4 servers, so I don't want any unnecessary > open IPv6 ports for ntpd. > > "Use restrict" or "Use a firewall" is not the answer. > I just don't want this junk in netstat -an: > udp6 0 0 fe80:3::1.123 *.* > udp6 0 0 ::1.123 *.* > udp6 0 0 x:x:x:x.123 *.* > udp6 0 0 fe80:2::219:bbff.123 *.* > udp6 0 0 fe80:1::219:bbff.123 *.* > udp6 0 0 *.123 *.*Unfortunately you can't. ntpd binds to every available interface when it starts up, and there's nothing configuration-wise you can do to stop it. However you can use 'restrict' or 'restrict -6' in ntpd.conf to ignore any traffic via addresses you don't want NTP service on. It doesn't clean up your sockstat(1) output, but it does help protect your system time from external hackery. See http://support.ntp.org/bin/view/Support/AccessRestrictions I have no idea why ntpd(8) lacks this feature of binding to specified addresses, as to my mind it should be standard for any software that can generate network sockets. You could try openntpd from OpenBSD which does have control over where it will bind to (Ports: net/openntpd) -- but last I used it the degree of clock synchronization it achieved was not as good as regular ntpd. That was some time ago now, and the situation may well have changed since then. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 267 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20111004/4aa99673/signature.pgp