Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 04 Oct 2011 22:49:24 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-stable@freebsd.org
Subject:   Re: How disable ntpd on IPv6 adresses?
Message-ID:  <4E8B7F64.9080008@infracaninophile.co.uk>
In-Reply-To: <20111004203743.GM23883@pol.leissner.se>
References:  <20111004203743.GM23883@pol.leissner.se>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig4966FFB810782AC5358B3853
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 04/10/2011 21:37, Peter Olsson wrote:
> I hope this is the right list for this question.
> In FreeBSD 8.2, how do I make ntpd not open any
> IPv6 ports? I have searched man pages and google,
> but haven't found the answer. Some ntpd have the
> command line option -4, but that doesn't seem to
> be the case with FreeBSD ntpd.
>=20
> The server runs IPv6, but ntpd will only ever be used
> with IPv4 servers, so I don't want any unnecessary
> open IPv6 ports for ntpd.
>=20
> "Use restrict" or "Use a firewall" is not the answer.
> I just don't want this junk in netstat -an:
> udp6       0      0 fe80:3::1.123          *.*                   =20
> udp6       0      0 ::1.123                *.*                   =20
> udp6       0      0 x:x:x:x.123            *.*                   =20
> udp6       0      0 fe80:2::219:bbff.123   *.*                   =20
> udp6       0      0 fe80:1::219:bbff.123   *.*                   =20
> udp6       0      0 *.123                  *.*                   =20

Unfortunately you can't.  ntpd binds to every available interface when
it starts up, and there's nothing configuration-wise you can do to stop i=
t.

However you can use 'restrict' or 'restrict -6' in ntpd.conf to ignore
any traffic via addresses you don't want NTP service on.  It doesn't
clean up your sockstat(1) output, but it does help protect your system
time from external hackery.  See
http://support.ntp.org/bin/view/Support/AccessRestrictions

I have no idea why ntpd(8) lacks this feature of binding to specified
addresses, as to my mind it should be standard for any software that can
generate network sockets.  You could try openntpd from OpenBSD which
does have control over where it will bind to (Ports: net/openntpd) --
but last I used it the degree of clock synchronization it achieved was
not as good as regular ntpd.  That was some time ago now, and the
situation may well have changed since then.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig4966FFB810782AC5358B3853
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6Lf2wACgkQ8Mjk52CukIz5RACdGa7vlsKriUyE+1OuHj6Uh+kQ
xqIAnRFuVDjjdueM3u1OEt/ViTVi3JAI
=4KNR
-----END PGP SIGNATURE-----

--------------enig4966FFB810782AC5358B3853--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E8B7F64.9080008>