Date: Fri, 6 Dec 2002 16:30:37 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions@FreeBSD.ORG Subject: Re: Xntpd running on a host with jails Message-ID: <20021206163037.GA1630@happy-idiot-talk.infracaninophi> In-Reply-To: <000001c29d37$7eb97280$952b6e94@lucifer> References: <000001c29d37$7eb97280$952b6e94@lucifer>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 06, 2002 at 03:55:19PM +0100, Didier Wiroth wrote: > I'm running xntpd on a host which has jails! I saw that ntpd listens on > all ip addresses even the jails ip addresses! How can I force xntp to > listen only at a specific ip address? Errr... To the best of my knowledge, you can't. There's no documented capability in the ntp.conf file to tell ntpd to bind to a particular interface, and as far as I can tell from reading the source, there's just no way to do that. However, think about it. You couldn't run several copies of ntpd simultaneously on one physical machine --- makes no sense, even if the ntpd's are running in separate jails. The machine's clock can only be set to one time. As ntpd is going to be the only serious contender to use UDP port 123, it really doesn't matter if the ntpd on the host system blocks port 123 on the jails. If you're worried about security, use the built in mechanisms provided by ntpd --- the best strategy is to use the 'restrict' mechanism to set a default policy to ignore everything, and then open up the minimum amount of access required to make the service work. Eg. restrict default ignore # Everyone can go away ... restrict 127.0.0.1 # except me ... restrict 192.168.0.0 mask 255.255.255.0 # or the local net. server 123.45.67.89 # A remote NTP server restrict 123.45.67.89 nomodify # Can send us a timestamp, # but can't modify our # configuration. If you are using your machine to provide NTP service to a network of clients or peering several machines together for resilience, create an ntp.keys(5) file and copy it to each of your machines --- the M type key format is probably the best, but you may need to use the A type to support older servers. Prefer the clients and local servers to use the key-based auth mechanism to operate --- if you want to broadcast or multicast a time signal to a whole network, this will be required. Use IPFW or IPF to restrict access to the local port 123. A useful feature of NTP is that it uses port 123 at *both* ends of the connection, although if your client is behind a NAT gateway it may appear to use a random high numbered port on the client end. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021206163037.GA1630>