NTP Config Question
-
@johnpoz said in NTP Config Question:
I think the OP is more concerned that ntp is showing to be listening on ::1
I'm trying to imagine how that would be a problem. Not having much luck.
-
hehe on that we can agree ;)
-
As far as I know my pfSense box, which is running the DNS Resolver, is not giving out any records for IPv6 addresses. And I am not specifically saying that there is a problem, issue, or security thing with NTP listening on the ::1 or any IPv6 address simply that as a preference that if I am not using IPv6 at all on my network why having anything even remotely listening on it.
-
@jchud said in NTP Config Question:
am not using IPv6 at all on my network why having anything even remotely listening on it.
And again - the ipv6 stack is so integrated into the OS these days, your still going to see the base stuff like the ipv6 loopback ::1,
If your pfsense doesn't have any actual IPv6 addresses on it, nor your firewall allowing it - then nothing is going to be able to use ntp via ipv6 or anything else via ipv6. But your not going to be able to get rid of stuff listening on ipv6 loopback..
My windows box has NO ipv6 addresses.. not even linklocal, ipv6 is disabled on it - but still shows the network stack with stuff listening on ipv6
UDP [::]:123 *:* UDP [::]:500 *:* UDP [::]:3389 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3838 *:* UDP [::]:4500 *:* UDP [::]:49670 *:* UDP [::]:58936 *:* UDP [::]:59263 *:* UDP [::]:61468 *:* UDP [::1]:123 *:* UDP [::1]:1900 *:* UDP [::1]:5353 *:* UDP [::1]:55844 *:* -
@johnpoz I know but if I can disable/configure something not to use it, especially if I do not need it to, then that would be preferable that is all. I am well aware that things like IPv6 are so integrated into OS and what not now a days so it is extremely difficult to disable/get rid off completely. Like I said if I can then great if not then so be it.
-
You can not get rid of ::1, and no you can get rid of stuff being shown to listen on it. But again it doesn't matter..
Here my cisco switch that has ZERO setup for ipv6 on it - still shows its ssh and http services listening on ipv6 ;)
sg300-28#sho services tcp-udp Type Local IP address Remote IP address Service name State ---- --------------------- --------------------- ------------ ----------- TCP All:22 All:0 SSH listen TCP All:80 All:0 HTTP listen TCP All:443 All:0 HTTPS listen TCP 192.168.9.99:22 192.168.9.100:50737 SSH established TCP6 All-22 All-0 SSH listen TCP6 All-80 All-0 HTTP listen TCP6 All-443 All-0 HTTPS listen UDP All:123 UDP All:161 SNMP UDP All:5353 Bonjour UDP6 All-123 UDP6 All-161 SNMP sg300-28# -
@johnpoz Ok great like I said if it could be done then great (in this case the with NTP daemon) and if not that is just fine to. Because I totally agree it does not matter, regardless of the service, was simply curious if NTP had a way to be configured as such.
-
you are suppose to be able to do a ntpd_opts and call out only ipv4.. so it doesn't show it listening on ipv6, even the loopback... But it doesn't work with freebsd from my understanding... Here it works on linux for example.
pi@pi-hole:~ $ netstat -an | grep .123 udp 0 0 192.168.3.10:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp6 0 0 fe80::5680:ff38:68f:123 :::* udp6 0 0 ::1:123 :::* udp6 0 0 :::123 :::*I then set ntpd_opts to -4
pi@pi-hole:/etc/default $ cat /etc/default/ntp NTPD_OPTS='-4 -g'restart ntp and no more ipv6 in ntp
pi@pi-hole:/etc/default $ netstat -an | grep .123 udp 0 0 192.168.3.10:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* -
@johnpoz Thanks for that and good to know, still sucks about it not working in freebsd though.
-
@johnpoz Just wanted to say thanks for all your help. Took your advice and looked at the system.inc, ntpd_opts, etc and was able to have it stop listening on both all IPv6 and a VIP address. Which in turn let me get rid of some NAT and firewall rules I had in place. Not to mention I was then able to extend this same principal one step further and got sshd not to listen on IPv6 as well.
-
What exactly did you alter in system.inc, I tried adding the ntpd_opts in to the ntpd.conf file that gets written and it doesn't seem to do anything.. It was still listening on ipv6 addresses... Did you also alter to only bind to the IPs specific vs the interface, I didn't try that.
Glad you got it sorted how you want.. If it is working on freebsd, pfsense could prob be easy altered in the gui to allow for such configs.. Feature request should hope get the dev's to take a look see, etc.
-
@johnpoz If you look at the freebsd man page for ntp.conf under the "Miscellaneous Options" where it talks about interface, along with the options to listen/ignore/drop there are options for all/ipv4/ipv6/wildcard. So I simply added a line that would be placed at the bottom of the conf file that said "interface ignore ipv6". And as far as the VIP goes I added the same thing just swapping out the last part for 10.10.10.1. In regards to the sshd I did basically the same thing, of course referencing its specific man page, making it so that the ssh config file had the line "AddressFamily inet" to it which forces it to only use IPv4 address.
-
@jchud said in NTP Config Question:
"interface ignore ipv6".
Ah so the ntpd_opts doesn't work, but that does... slick..
-
@johnpoz Yep, what can say with over 10 years of IT experience at the enterprise level the key skill you pick up is that when it comes to the little things where there is a will there is a way you just have to care enough to find it. The one thing I did notice though is I had to make sure it got added to the end of the conf file because if I added it at the beginning it did not work for some reason.
-
hmmm should work anywhere in the config, and would think top would be better.. But will give it a try.. Problem is editing the system.inc file will get overwritten on the next update.. So you would really need to create a patch for this that can get reapplied, or best is to get it put into the gui as a check box sort of thing.
-
@johnpoz I agree and it probably was something I was simply over looking as it late last night when I was trying all this. And yes doing it this way means that it will get over written on a update and what not but one step at a time; first we get it to work then worry about how to make it carry over
. -
So apparently their is a -L flag that can be used when executing the command to start the NTP daemon which will tell it not to listen on VIPs. However for this to work as such the alias for the VIP must have a colon in the name (which if you ask me is a very weird condition). Not to mention that they came its been depreciated and thus more preferable to use the -I flag to directly and more explicitly specify the exact interface(s)/IP(s) you want it to listen on.
Just out of curiosity though if we can directly specify these things as part of the command to run NTP versus building a config file, putting these values into it, telling NTP to get that info from the config file, etc would it not just be easier/more efficient to build it all into a single command and have it run as such from the get go?
