From owner-freebsd-stable@FreeBSD.ORG Tue Oct 4 21:49:41 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 523611065680 for ; Tue, 4 Oct 2011 21:49:41 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id AFA298FC14 for ; Tue, 4 Oct 2011 21:49:40 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id p94LnW8q018642 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Tue, 4 Oct 2011 22:49:32 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk p94LnW8q018642 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1317764972; bh=+Si4trKnJINIc/1bBfEDFdCw7EZkmJIukLFqrvJ3Xa8=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4E8B7F64.9080008@infracaninophile.co.uk>|Date:=20T ue,=2004=20Oct=202011=2022:49:24=20+0100|From:=20Matthew=20Seaman= 20|User-Agent:=20Mozilla/5.0=20(M acintosh=3B=20Intel=20Mac=20OS=20X=2010.6=3B=20rv:7.0.1)=20Gecko/2 0110929=20Thunderbird/7.0.1|MIME-Version:=201.0|To:=20freebsd-stab le@freebsd.org|Subject:=20Re:=20How=20disable=20ntpd=20on=20IPv6=2 0adresses?|References:=20<20111004203743.GM23883@pol.leissner.se>| In-Reply-To:=20<20111004203743.GM23883@pol.leissner.se>|X-Enigmail -Version:=201.3.2|OpenPGP:=20id=3D60AE908C|Content-Type:=20multipa rt/signed=3B=20micalg=3Dpgp-sha1=3B=0D=0A=20protocol=3D"applicatio n/pgp-signature"=3B=0D=0A=20boundary=3D"------------enig4966FFB810 782AC5358B3853"; b=hTBpofUjYQDzZxITdWDJPvkWi8Es3jwAbflcFozz4iWhKLD9nBHXQ8/Ej0XxjTA6/ NPvj6hDhUftnsWS9VMjD/99kLp+0gU7i6KgLLirOkSwv7bt4sZem5tegg5OMb1x3fT efAZgGdxwSEvYEYIYmMj+F2EKWw0elwXZhRpenpA= Message-ID: <4E8B7F64.9080008@infracaninophile.co.uk> Date: Tue, 04 Oct 2011 22:49:24 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: freebsd-stable@freebsd.org References: <20111004203743.GM23883@pol.leissner.se> In-Reply-To: <20111004203743.GM23883@pol.leissner.se> X-Enigmail-Version: 1.3.2 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig4966FFB810782AC5358B3853" X-Virus-Scanned: clamav-milter 0.97.2 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Subject: Re: How disable ntpd on IPv6 adresses? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Oct 2011 21:49:41 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4966FFB810782AC5358B3853 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 04/10/2011 21:37, Peter Olsson wrote: > I hope this is the right list for this question. > In FreeBSD 8.2, how do I make ntpd not open any > IPv6 ports? I have searched man pages and google, > but haven't found the answer. Some ntpd have the > command line option -4, but that doesn't seem to > be the case with FreeBSD ntpd. >=20 > The server runs IPv6, but ntpd will only ever be used > with IPv4 servers, so I don't want any unnecessary > open IPv6 ports for ntpd. >=20 > "Use restrict" or "Use a firewall" is not the answer. > I just don't want this junk in netstat -an: > udp6 0 0 fe80:3::1.123 *.* =20 > udp6 0 0 ::1.123 *.* =20 > udp6 0 0 x:x:x:x.123 *.* =20 > udp6 0 0 fe80:2::219:bbff.123 *.* =20 > udp6 0 0 fe80:1::219:bbff.123 *.* =20 > udp6 0 0 *.123 *.* =20 Unfortunately you can't. ntpd binds to every available interface when it starts up, and there's nothing configuration-wise you can do to stop i= t. However you can use 'restrict' or 'restrict -6' in ntpd.conf to ignore any traffic via addresses you don't want NTP service on. It doesn't clean up your sockstat(1) output, but it does help protect your system time from external hackery. See http://support.ntp.org/bin/view/Support/AccessRestrictions I have no idea why ntpd(8) lacks this feature of binding to specified addresses, as to my mind it should be standard for any software that can generate network sockets. You could try openntpd from OpenBSD which does have control over where it will bind to (Ports: net/openntpd) -- but last I used it the degree of clock synchronization it achieved was not as good as regular ntpd. That was some time ago now, and the situation may well have changed since then. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig4966FFB810782AC5358B3853 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6Lf2wACgkQ8Mjk52CukIz5RACdGa7vlsKriUyE+1OuHj6Uh+kQ xqIAnRFuVDjjdueM3u1OEt/ViTVi3JAI =4KNR -----END PGP SIGNATURE----- --------------enig4966FFB810782AC5358B3853--