Configuring ntpd and php-fpm to only listen on lan interface

bigguy_

I want to make sure that no services are listening on the wan interface for security reasons and I have run into some puzzling obstacles.

The relevant lines from my /var/etc/ntpd.conf

interface listen 127.0.0.1
interface listen 192.168.1.1

However the diag_sockets.php page on the webgui shows ntp listening as below

root  ntpd  23304  21  udp4    *:123      .
root  ntpd  23304  22  udp4  192.168.1.1:123  .
root  ntpd  23304  23  udp4  127.0.0.1:123  .
root  ntpd  23304  20  udp6    *:123    .
root  ntpd  23304  24  udp6    ::1:123  .

And the relevant lines from my /usr/local/etc/php-fpm.conf file

listen = /var/run/php-fpm.socket

And the open sockets

root  php-fpm  292  5  udp4  .    .
root  php-fpm  291  5  udp4  .    .
root  php-fpm  290  5  udp4  .    .
root  php-fpm  289  5  udp4  .    .
root  php-fpm  292  5  udp6  .    .
root  php-fpm  291  5  udp6  .    .
root  php-fpm  290  5  udp6  .    .
root  php-fpm  289  5  udp6  .    .

Netstat -nl shows

udp4  0  0  127.0.01.123    .
udp4  0  0  192.168.1.1.123  .

So nothing listening on all ports. Is this just an artifact of how diag_sockets displays socket information?  It seems *:123 should mean ntpd is listening on all inyerfaces on port 123. Also I can't fully trust the netstat output because it doesn't show nginx listening on 443 and 80 despite an active web connection which will have to be a question for another day. But I am very confused how and why ntpd and php-fpm show as listening on all interfaces when the conf files show them as restricted to the lan for ntpd and a local unix file socket for php-fpm.
Can anyone shed any light on this?

bigguy_

Some relevant syslog entries

Ntpd[22379]: Listen and drop on 0 v6wildcard [::]:123
Ntpd[22379]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Ntpd[22379]: Listen normally on 2 em1 192.168.1.1:123
Ntpd[22379]: Listen normally on 3 lo0 127.0.0.1:123
Ntpd[22379]: Listen normally on 4 lo0 [::]:123
Ntpd[22379]: Listening on routing socket on fd #25 for interface updates

While I'm glad ntpd is dropping packets on the wan interface, I'd rather it wasn't listening at all. I deleted the "interface drop all" line from the conf file for that very reason and yet ntpd is ignoring its own conf.

doktornotor

You cannot do any such thing with ntpd because the upstream is just moronic and completely hopeless.

http://bugs.ntp.org/show_bug.cgi?id=2996#c1

ntpd currently binds always to wildcard for two purposes:

• avoid running multiple times (detected be EADDRINUSE)
• prevent other applications from binding to that port (somewhat defeated by
  the -I directive)

ntpd will bind to wildcard, but will drop all packets received on it:
21 Jan 21:26:14 ntpd[30070]: Listen and drop on 0 v4wildcard 0.0.0.0:123

Binding to the wildcard address cannot be avoided. communication via wildcard
is not done (except for very peculiar OS variants).

http://support.ntp.org/bin/view/Dev/NtpdAndNetworkSockets
http://bugs.ntp.org/show_bug.cgi?id=2996
http://bugs.ntp.org/show_bug.cgi?id=2637
http://bugs.ntp.org/show_bug.cgi?id=983
http://bugs.ntp.org/show_bug.cgi?id=214

bigguy_

Thanks for the info, but I did find a way. I added "interface ignore wildcard" to ntpd.conf and Hallelulia it works! That only leaves php-fpm. Any ideas on that one?