NTP Config Question
-
You could just disable outbound NAT that IP and won't be able to make any outbound connections. You could block it as well then to be double sure.
Steve
-
But if I just flat out disable Outbound NAT how do I make so the other stuff on my network can get out, as I assume just like the VIP is doing any device on my network that is making such a connection is ultimately getting NATted as well.
-
You can just disable it for 10.10.10.1.
Set outbound NAT to hybrid mode.
Add a new rule. WAN. Check 'do not nat'. Source: 10.10.10.1.
Steve
-
Thanks. I disabled NAT for it and set up a floating ACL to block it from making an outboud connection. Which appears to have worked as I no longer see the occasional entry for it in the state table and its showing stuff in the states column on the firewall rule page. However it is not showing any entries of the rule being triggered in the firewall log page, is that normal? Also, not a result of this, but I occasionally see entries in the NTP log page that say something like some IP address local addr 10.10.10.1 -> <null> any idea what this is about?
Lastly so I guess there is currently no way to get NTP to not listen/use IPv6?
-
@jchud said in NTP Config Question:
Lastly so I guess there is currently no way to get NTP to not listen/use IPv6?
If you have IPv6 connectivity, and you just use fqdn for your ntp, and they get back AAAA then yeah they would connect via ipv6.
But you sure can prevent clients on your end from using ipv6 to talk to your ntp server.. And if you don't want stuff to use ipv6.. Why do you have it enabled in the first place?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Can we see that actual NTP log line?
You won't see that traffic blocked in the firewall log unless you enabled logging in the floating rule.
If IPs exist ntpd will listen on them including IPv6.
Steve
-
@johnpoz I have all IPv6 traffic blocked by the firewall plus do not have a gateway configured for it, nor a DHCP server configured to hand address for it, my wireless access point has as much disabled about it as I can, and all my LAN devices that I could I disabled it as well. If there is more I can do on the pfSense box that I can do to turn it off let me know. But for the time being when I look at the open sockets on pfSense it list ntpd as listening on like the IPv6 loopback address.
-
@stephenw10 I will post a copy of that line from the log file later, as I currently do not have access to it. In the meantime how do I enable logging in the floating rule, because all I saw was to "log the packet that triggered rule" and I don't specifically need to keep a copy of the packet itself? And I guess then that since I can't exactly disable pfSense from creating link local IPv6 addresses there is no way to stop ntpd from using them, would be nice though if there was like a flag that could be added to the config file or as part of the command that launches ntpd which specifies a specific version for it use.
-
That option just enables logging on the firewall rule. You will see traffic blocked by that rule in the firewall log. It doesn't store packets in any way.
Steve
-
@stephenw10 Oh ok my bad I thought checking that box would log the packet itself and thus the setting to have it log when the rule is triggered was somewhere else.
-
@jchud said in NTP Config Question:
it list ntpd as listening on like the IPv6 loopback address.
Yeah so.. even if you disabled ipv6 the loopback would still be there. Its almost impossible to git rid of the loopback ipv6 address "::1" as this is linked into the OS at very low level.
If your not creating a ip6 enabled on your lan, and don't have RA running there is no way clients to get an IPb6 address. Sure they could still have loopback, and even a link local maybe depending how you disabled ipv6 exactly.. But client not going to be able to use ipv6 to talk to your ntp server.
-
@johnpoz Yeah kind of what I figured, was just hoping there was some kind of way to tell ntpd to ignore using it anyway.
-
I could see it being rejected because all services on the firewall are limited by the firewall rules rather where they listen but you could open a feature request for it:
https://redmine.pfsense.orgSteve
-
@jchud said in NTP Config Question:
was just hoping there was some kind of way to tell ntpd to ignore using it anyway.
Why? Not understanding the point..
I just looked at the ntp conf created when you only list specific interfaces to list, and it is placing the ignore all and wildcard statements in the ntpd.conf
But still lists listening on ::1, but not sure why it matters? Not like something can talk to that.
-
@johnpoz More of a if its not needed/being used why have it even running as such anyway type ideology.
-
I hear you - but ::1, has been been tied into the os at such a level.. I don't see how you could stop it. Like I said even when you disable ipv6 your still going to see that there.
They might be able to change ntp to be bound to IP vs the interface to remove that... But then your going to run into issues if user changes the interface IP for some reason that ntp is suppose to be listening on.
if you look at the conf being created you can see how they tell ntp to ignore all and wildcard, and then just calls out the interfaces you have highlighted to listen on in the gui
interface ignore all interface ignore wildcard interface listen igb3 interface listen igb0 interface listen igb2 interface listen igb2.4 interface listen igb5 -
@johnpoz Yeah complete aware of all that. Was just kind of hoping there was something like adding a -v4 flag to the ntpd command or in the conf file (though I guess in the case it would be more like "interface ignore IPv6") type deal. Not to mention any time I make a manual change to the conf file it just gets rolled back to whatever is set via the GUI following a restart of service or pfSense.
-
yeah you would have to change system.inc file
-
@johnpoz said in NTP Config Question:
If you have IPv6 connectivity, and you just use fqdn for your ntp, and they get back AAAA then yeah they would connect via ipv6.
But you sure can prevent clients on your end from using ipv6 to talk to your ntp server.. And if you don't want stuff to use ipv6.. Why do you have it enabled in the first place?Wouldn't it be easier to configure DNS to provide only an IPv4 address? If there are no AAAA records from the DNS, then the client can't use them. In my DNS I have to specify both IPv4 and IPv6 addresses for each host name.
-
Exactly if dns does not return AAAA then client would never try and access IPv6 because it wouldn't know where to go..
I think the OP is more concerned that ntp is showing to be listening on ::1, vs any sort of actual issue.
On linux you could prob do something like ntpd_opts with -4 -g or the like, but I don't think that works with freebsd..
