Configuring ntpd and php-fpm to only listen on lan interface
-
I want to make sure that no services are listening on the wan interface for security reasons and I have run into some puzzling obstacles.
The relevant lines from my /var/etc/ntpd.conf
interface listen 127.0.0.1
interface listen 192.168.1.1However the diag_sockets.php page on the webgui shows ntp listening as below
root ntpd 23304 21 udp4 *:123 .
root ntpd 23304 22 udp4 192.168.1.1:123 .
root ntpd 23304 23 udp4 127.0.0.1:123 .
root ntpd 23304 20 udp6 *:123 .
root ntpd 23304 24 udp6 ::1:123 .And the relevant lines from my /usr/local/etc/php-fpm.conf file
listen = /var/run/php-fpm.socket
And the open sockets
root php-fpm 292 5 udp4 . .
root php-fpm 291 5 udp4 . .
root php-fpm 290 5 udp4 . .
root php-fpm 289 5 udp4 . .
root php-fpm 292 5 udp6 . .
root php-fpm 291 5 udp6 . .
root php-fpm 290 5 udp6 . .
root php-fpm 289 5 udp6 . .Netstat -nl shows
udp4 0 0 127.0.01.123 .
udp4 0 0 192.168.1.1.123 .So nothing listening on all ports. Is this just an artifact of how diag_sockets displays socket information? It seems *:123 should mean ntpd is listening on all inyerfaces on port 123. Also I can't fully trust the netstat output because it doesn't show nginx listening on 443 and 80 despite an active web connection which will have to be a question for another day. But I am very confused how and why ntpd and php-fpm show as listening on all interfaces when the conf files show them as restricted to the lan for ntpd and a local unix file socket for php-fpm.
Can anyone shed any light on this? -
Some relevant syslog entries
Ntpd[22379]: Listen and drop on 0 v6wildcard [::]:123
Ntpd[22379]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Ntpd[22379]: Listen normally on 2 em1 192.168.1.1:123
Ntpd[22379]: Listen normally on 3 lo0 127.0.0.1:123
Ntpd[22379]: Listen normally on 4 lo0 [::]:123
Ntpd[22379]: Listening on routing socket on fd #25 for interface updatesWhile I'm glad ntpd is dropping packets on the wan interface, I'd rather it wasn't listening at all. I deleted the "interface drop all" line from the conf file for that very reason and yet ntpd is ignoring its own conf.
-
You cannot do any such thing with ntpd because the upstream is just moronic and completely hopeless.
http://bugs.ntp.org/show_bug.cgi?id=2996#c1
ntpd currently binds always to wildcard for two purposes:
- avoid running multiple times (detected be EADDRINUSE)
- prevent other applications from binding to that port (somewhat defeated by
the -I directive)
ntpd will bind to wildcard, but will drop all packets received on it:
21 Jan 21:26:14 ntpd[30070]: Listen and drop on 0 v4wildcard 0.0.0.0:123Binding to the wildcard address cannot be avoided. communication via wildcard
is not done (except for very peculiar OS variants).http://support.ntp.org/bin/view/Dev/NtpdAndNetworkSockets
http://bugs.ntp.org/show_bug.cgi?id=2996
http://bugs.ntp.org/show_bug.cgi?id=2637
http://bugs.ntp.org/show_bug.cgi?id=983
http://bugs.ntp.org/show_bug.cgi?id=214 -
Thanks for the info, but I did find a way. I added "interface ignore wildcard" to ntpd.conf and Hallelulia it works! That only leaves php-fpm. Any ideas on that one?