From owner-freebsd-stable@FreeBSD.ORG Tue Oct 4 21:42:55 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 130121065670 for ; Tue, 4 Oct 2011 21:42:55 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta08.emeryville.ca.mail.comcast.net (qmta08.emeryville.ca.mail.comcast.net [76.96.30.80]) by mx1.freebsd.org (Postfix) with ESMTP id F0E228FC17 for ; Tue, 4 Oct 2011 21:42:54 +0000 (UTC) Received: from omta22.emeryville.ca.mail.comcast.net ([76.96.30.89]) by qmta08.emeryville.ca.mail.comcast.net with comcast id gke71h0051vN32cA8lio3l; Tue, 04 Oct 2011 21:42:48 +0000 Received: from koitsu.dyndns.org ([67.180.84.87]) by omta22.emeryville.ca.mail.comcast.net with comcast id gllx1h00f1t3BNj8illxgi; Tue, 04 Oct 2011 21:45:57 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id F1E3E102C1C; Tue, 4 Oct 2011 14:42:53 -0700 (PDT) Date: Tue, 4 Oct 2011 14:42:53 -0700 From: Jeremy Chadwick To: Peter Olsson Message-ID: <20111004214253.GA24867@icarus.home.lan> References: <20111004203743.GM23883@pol.leissner.se> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20111004203743.GM23883@pol.leissner.se> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-stable@freebsd.org Subject: Re: How disable ntpd on IPv6 adresses? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2011 21:42:55 -0000 On Tue, Oct 04, 2011 at 10:37:43PM +0200, Peter Olsson wrote: > Hello! > > I hope this is the right list for this question. > In FreeBSD 8.2, how do I make ntpd not open any > IPv6 ports? I have searched man pages and google, > but haven't found the answer. Some ntpd have the > command line option -4, but that doesn't seem to > be the case with FreeBSD ntpd. > > The server runs IPv6, but ntpd will only ever be used > with IPv4 servers, so I don't want any unnecessary > open IPv6 ports for ntpd. > > "Use restrict" or "Use a firewall" is not the answer. > I just don't want this junk in netstat -an: > udp6 0 0 fe80:3::1.123 *.* > udp6 0 0 ::1.123 *.* > udp6 0 0 x:x:x:x.123 *.* > udp6 0 0 fe80:2::219:bbff.123 *.* > udp6 0 0 fe80:1::219:bbff.123 *.* > udp6 0 0 *.123 *.* All our systems are built with WITHOUT_INET6=true in /etc/src.conf, which (mostly, not entirely) removes IPv6 from most base system bits. We also remove the "INET6" option in our kernel configs. This works for ntpd, but only "functionally" works for rpcbind (I say "functionally" because it still spits out "cannot get information for {udp6,tcp6} when starting, but obviously does not bind to IPv6. I believe I have an open PR on this matter). Otherwise, to my knowledge, there is no way to make ntpd not bind to everything it finds. If you're wanting IPv6 support but want to exclude some daemons from binding or utilising IPv6, you're out of luck. It's extremely hit-or-miss on FreeBSD (mostly miss). The only alternative is to use pf(4) to block inbound IPv6 packets to port 123. This won't stop ntpd from talking to IPv6 peers, but would stop people from talking to it, if that's what you're trying to solve. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, US | | Making life hard for others since 1977. PGP 4BD6C0CB |