NTP Config Question
-
I have my pfsense box running as my networks NTP server. As I also have pfblockerng-devel installed I subsequently have the VIP 10.10.10.1. And I recently noticed that ntpd is listening on that VIP address, thus I was wondering is there any way to stop this? I get that it is not technically a bad thing but still, tried doing it via the GUI and couldn't figure out a way so I tried directly modifying the conf file but every time things were restarted all my changes were undone.
Also while I have things set to block all IPv6 traffic regardless ntpd is also listening on it, is there any way to have it only use IPv4?
-
You can add ACLs to restrict what it responds to from different subnets but there's no way to select which IPs the daemon listens on from the GUI.
As you say though it shouldn't really matter if you have appropriate firewall rules in place.Steve
-
I already have ACLs in place that pass all internal NTP traffic regardless of its destination to a specific internal address on my network, which is not the VIP, so technically it shouldn't be able to respond to queries as it won't be getting any. Just kind of annoying that I have to use resources to prevent things from going to it while its also using resources and all this could be avoided by something as simple as cutting it off at the source. With that said I did notice that the VIP address does occasionally make outbound request to get time information and I have tried to put ACLs in place on both the LAN and WAN side to prevent this but I can not seem to get it trigger the rule, any suggestion?
And while there isn't a means to get it to stop using the VIP address is there a way to at least tell it not to use IPv6?
-
If you need to prevent outbound traffic from the VIP that would have to be a floating rule set to the appropriate interface and direction out. That's the only place you can block/deny outbound.
Steve
-
Sure, but what I think is happening is that it is occurring on the WAN interface so the firewall rules are seeing as it is coming from my public IP address while its actually the 10.10.10.1 address that is making the call. And I can see this in the state table as it list the VIP as the original source. So seeing as I can't just have a blanket outbound rule on my WAN blocking anything to port 123 I am not sure how to configure the rule in a way that only gets triggered when its VIP address making the request. Any suggestions would be greatly appreciated.
-
You could just disable outbound NAT that IP and won't be able to make any outbound connections. You could block it as well then to be double sure.
Steve
-
But if I just flat out disable Outbound NAT how do I make so the other stuff on my network can get out, as I assume just like the VIP is doing any device on my network that is making such a connection is ultimately getting NATted as well.
-
You can just disable it for 10.10.10.1.
Set outbound NAT to hybrid mode.
Add a new rule. WAN. Check 'do not nat'. Source: 10.10.10.1.
Steve
-
Thanks. I disabled NAT for it and set up a floating ACL to block it from making an outboud connection. Which appears to have worked as I no longer see the occasional entry for it in the state table and its showing stuff in the states column on the firewall rule page. However it is not showing any entries of the rule being triggered in the firewall log page, is that normal? Also, not a result of this, but I occasionally see entries in the NTP log page that say something like some IP address local addr 10.10.10.1 -> <null> any idea what this is about?
Lastly so I guess there is currently no way to get NTP to not listen/use IPv6?
-
@jchud said in NTP Config Question:
Lastly so I guess there is currently no way to get NTP to not listen/use IPv6?
If you have IPv6 connectivity, and you just use fqdn for your ntp, and they get back AAAA then yeah they would connect via ipv6.
But you sure can prevent clients on your end from using ipv6 to talk to your ntp server.. And if you don't want stuff to use ipv6.. Why do you have it enabled in the first place?
-
Can we see that actual NTP log line?
You won't see that traffic blocked in the firewall log unless you enabled logging in the floating rule.
If IPs exist ntpd will listen on them including IPv6.
Steve
-
@johnpoz I have all IPv6 traffic blocked by the firewall plus do not have a gateway configured for it, nor a DHCP server configured to hand address for it, my wireless access point has as much disabled about it as I can, and all my LAN devices that I could I disabled it as well. If there is more I can do on the pfSense box that I can do to turn it off let me know. But for the time being when I look at the open sockets on pfSense it list ntpd as listening on like the IPv6 loopback address.
-
@stephenw10 I will post a copy of that line from the log file later, as I currently do not have access to it. In the meantime how do I enable logging in the floating rule, because all I saw was to "log the packet that triggered rule" and I don't specifically need to keep a copy of the packet itself? And I guess then that since I can't exactly disable pfSense from creating link local IPv6 addresses there is no way to stop ntpd from using them, would be nice though if there was like a flag that could be added to the config file or as part of the command that launches ntpd which specifies a specific version for it use.
-
That option just enables logging on the firewall rule. You will see traffic blocked by that rule in the firewall log. It doesn't store packets in any way.
Steve
-
@stephenw10 Oh ok my bad I thought checking that box would log the packet itself and thus the setting to have it log when the rule is triggered was somewhere else.
-
@jchud said in NTP Config Question:
it list ntpd as listening on like the IPv6 loopback address.
Yeah so.. even if you disabled ipv6 the loopback would still be there. Its almost impossible to git rid of the loopback ipv6 address "::1" as this is linked into the OS at very low level.
If your not creating a ip6 enabled on your lan, and don't have RA running there is no way clients to get an IPb6 address. Sure they could still have loopback, and even a link local maybe depending how you disabled ipv6 exactly.. But client not going to be able to use ipv6 to talk to your ntp server.
-
@johnpoz Yeah kind of what I figured, was just hoping there was some kind of way to tell ntpd to ignore using it anyway.
-
I could see it being rejected because all services on the firewall are limited by the firewall rules rather where they listen but you could open a feature request for it:
https://redmine.pfsense.orgSteve
-
@jchud said in NTP Config Question:
was just hoping there was some kind of way to tell ntpd to ignore using it anyway.
Why? Not understanding the point..
I just looked at the ntp conf created when you only list specific interfaces to list, and it is placing the ignore all and wildcard statements in the ntpd.conf
But still lists listening on ::1, but not sure why it matters? Not like something can talk to that.
-
@johnpoz More of a if its not needed/being used why have it even running as such anyway type ideology.