Date: Tue, 04 Oct 2011 22:49:24 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-stable@freebsd.org Subject: Re: How disable ntpd on IPv6 adresses? Message-ID: <4E8B7F64.9080008@infracaninophile.co.uk> In-Reply-To: <20111004203743.GM23883@pol.leissner.se> References: <20111004203743.GM23883@pol.leissner.se>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4966FFB810782AC5358B3853 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 04/10/2011 21:37, Peter Olsson wrote: > I hope this is the right list for this question. > In FreeBSD 8.2, how do I make ntpd not open any > IPv6 ports? I have searched man pages and google, > but haven't found the answer. Some ntpd have the > command line option -4, but that doesn't seem to > be the case with FreeBSD ntpd. >=20 > The server runs IPv6, but ntpd will only ever be used > with IPv4 servers, so I don't want any unnecessary > open IPv6 ports for ntpd. >=20 > "Use restrict" or "Use a firewall" is not the answer. > I just don't want this junk in netstat -an: > udp6 0 0 fe80:3::1.123 *.* =20 > udp6 0 0 ::1.123 *.* =20 > udp6 0 0 x:x:x:x.123 *.* =20 > udp6 0 0 fe80:2::219:bbff.123 *.* =20 > udp6 0 0 fe80:1::219:bbff.123 *.* =20 > udp6 0 0 *.123 *.* =20 Unfortunately you can't. ntpd binds to every available interface when it starts up, and there's nothing configuration-wise you can do to stop i= t. However you can use 'restrict' or 'restrict -6' in ntpd.conf to ignore any traffic via addresses you don't want NTP service on. It doesn't clean up your sockstat(1) output, but it does help protect your system time from external hackery. See http://support.ntp.org/bin/view/Support/AccessRestrictions I have no idea why ntpd(8) lacks this feature of binding to specified addresses, as to my mind it should be standard for any software that can generate network sockets. You could try openntpd from OpenBSD which does have control over where it will bind to (Ports: net/openntpd) -- but last I used it the degree of clock synchronization it achieved was not as good as regular ntpd. That was some time ago now, and the situation may well have changed since then. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig4966FFB810782AC5358B3853 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6Lf2wACgkQ8Mjk52CukIz5RACdGa7vlsKriUyE+1OuHj6Uh+kQ xqIAnRFuVDjjdueM3u1OEt/ViTVi3JAI =4KNR -----END PGP SIGNATURE----- --------------enig4966FFB810782AC5358B3853--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E8B7F64.9080008>