NTP Config Question
-
@jchud said in NTP Config Question:
it list ntpd as listening on like the IPv6 loopback address.
Yeah so.. even if you disabled ipv6 the loopback would still be there. Its almost impossible to git rid of the loopback ipv6 address "::1" as this is linked into the OS at very low level.
If your not creating a ip6 enabled on your lan, and don't have RA running there is no way clients to get an IPb6 address. Sure they could still have loopback, and even a link local maybe depending how you disabled ipv6 exactly.. But client not going to be able to use ipv6 to talk to your ntp server.
-
@johnpoz Yeah kind of what I figured, was just hoping there was some kind of way to tell ntpd to ignore using it anyway.
-
I could see it being rejected because all services on the firewall are limited by the firewall rules rather where they listen but you could open a feature request for it:
https://redmine.pfsense.orgSteve
-
@jchud said in NTP Config Question:
was just hoping there was some kind of way to tell ntpd to ignore using it anyway.
Why? Not understanding the point..
I just looked at the ntp conf created when you only list specific interfaces to list, and it is placing the ignore all and wildcard statements in the ntpd.conf
But still lists listening on ::1, but not sure why it matters? Not like something can talk to that.
-
@johnpoz More of a if its not needed/being used why have it even running as such anyway type ideology.
-
I hear you - but ::1, has been been tied into the os at such a level.. I don't see how you could stop it. Like I said even when you disable ipv6 your still going to see that there.
They might be able to change ntp to be bound to IP vs the interface to remove that... But then your going to run into issues if user changes the interface IP for some reason that ntp is suppose to be listening on.
if you look at the conf being created you can see how they tell ntp to ignore all and wildcard, and then just calls out the interfaces you have highlighted to listen on in the gui
interface ignore all interface ignore wildcard interface listen igb3 interface listen igb0 interface listen igb2 interface listen igb2.4 interface listen igb5 -
@johnpoz Yeah complete aware of all that. Was just kind of hoping there was something like adding a -v4 flag to the ntpd command or in the conf file (though I guess in the case it would be more like "interface ignore IPv6") type deal. Not to mention any time I make a manual change to the conf file it just gets rolled back to whatever is set via the GUI following a restart of service or pfSense.
-
yeah you would have to change system.inc file
-
@johnpoz said in NTP Config Question:
If you have IPv6 connectivity, and you just use fqdn for your ntp, and they get back AAAA then yeah they would connect via ipv6.
But you sure can prevent clients on your end from using ipv6 to talk to your ntp server.. And if you don't want stuff to use ipv6.. Why do you have it enabled in the first place?Wouldn't it be easier to configure DNS to provide only an IPv4 address? If there are no AAAA records from the DNS, then the client can't use them. In my DNS I have to specify both IPv4 and IPv6 addresses for each host name.
-
Exactly if dns does not return AAAA then client would never try and access IPv6 because it wouldn't know where to go..
I think the OP is more concerned that ntp is showing to be listening on ::1, vs any sort of actual issue.
On linux you could prob do something like ntpd_opts with -4 -g or the like, but I don't think that works with freebsd..
-
@johnpoz said in NTP Config Question:
I think the OP is more concerned that ntp is showing to be listening on ::1
I'm trying to imagine how that would be a problem. Not having much luck.
-
hehe on that we can agree ;)
-
As far as I know my pfSense box, which is running the DNS Resolver, is not giving out any records for IPv6 addresses. And I am not specifically saying that there is a problem, issue, or security thing with NTP listening on the ::1 or any IPv6 address simply that as a preference that if I am not using IPv6 at all on my network why having anything even remotely listening on it.
-
@jchud said in NTP Config Question:
am not using IPv6 at all on my network why having anything even remotely listening on it.
And again - the ipv6 stack is so integrated into the OS these days, your still going to see the base stuff like the ipv6 loopback ::1,
If your pfsense doesn't have any actual IPv6 addresses on it, nor your firewall allowing it - then nothing is going to be able to use ntp via ipv6 or anything else via ipv6. But your not going to be able to get rid of stuff listening on ipv6 loopback..
My windows box has NO ipv6 addresses.. not even linklocal, ipv6 is disabled on it - but still shows the network stack with stuff listening on ipv6
UDP [::]:123 *:* UDP [::]:500 *:* UDP [::]:3389 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3838 *:* UDP [::]:4500 *:* UDP [::]:49670 *:* UDP [::]:58936 *:* UDP [::]:59263 *:* UDP [::]:61468 *:* UDP [::1]:123 *:* UDP [::1]:1900 *:* UDP [::1]:5353 *:* UDP [::1]:55844 *:* -
@johnpoz I know but if I can disable/configure something not to use it, especially if I do not need it to, then that would be preferable that is all. I am well aware that things like IPv6 are so integrated into OS and what not now a days so it is extremely difficult to disable/get rid off completely. Like I said if I can then great if not then so be it.
-
You can not get rid of ::1, and no you can get rid of stuff being shown to listen on it. But again it doesn't matter..
Here my cisco switch that has ZERO setup for ipv6 on it - still shows its ssh and http services listening on ipv6 ;)
sg300-28#sho services tcp-udp Type Local IP address Remote IP address Service name State ---- --------------------- --------------------- ------------ ----------- TCP All:22 All:0 SSH listen TCP All:80 All:0 HTTP listen TCP All:443 All:0 HTTPS listen TCP 192.168.9.99:22 192.168.9.100:50737 SSH established TCP6 All-22 All-0 SSH listen TCP6 All-80 All-0 HTTP listen TCP6 All-443 All-0 HTTPS listen UDP All:123 UDP All:161 SNMP UDP All:5353 Bonjour UDP6 All-123 UDP6 All-161 SNMP sg300-28# -
@johnpoz Ok great like I said if it could be done then great (in this case the with NTP daemon) and if not that is just fine to. Because I totally agree it does not matter, regardless of the service, was simply curious if NTP had a way to be configured as such.
-
you are suppose to be able to do a ntpd_opts and call out only ipv4.. so it doesn't show it listening on ipv6, even the loopback... But it doesn't work with freebsd from my understanding... Here it works on linux for example.
pi@pi-hole:~ $ netstat -an | grep .123 udp 0 0 192.168.3.10:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp6 0 0 fe80::5680:ff38:68f:123 :::* udp6 0 0 ::1:123 :::* udp6 0 0 :::123 :::*I then set ntpd_opts to -4
pi@pi-hole:/etc/default $ cat /etc/default/ntp NTPD_OPTS='-4 -g'restart ntp and no more ipv6 in ntp
pi@pi-hole:/etc/default $ netstat -an | grep .123 udp 0 0 192.168.3.10:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* -
@johnpoz Thanks for that and good to know, still sucks about it not working in freebsd though.
-
@johnpoz Just wanted to say thanks for all your help. Took your advice and looked at the system.inc, ntpd_opts, etc and was able to have it stop listening on both all IPv6 and a VIP address. Which in turn let me get rid of some NAT and firewall rules I had in place. Not to mention I was then able to extend this same principal one step further and got sshd not to listen on IPv6 as well.
