Configuring ntpd and php-fpm to only listen on lan interface

  • I want to make sure that no services are listening on the wan interface for security reasons and I have run into some puzzling obstacles.

    The relevant lines from my /var/etc/ntpd.conf

    interface listen
    interface listen

    However the diag_sockets.php page on the webgui shows ntp listening as below

    root  ntpd  23304  21  udp4    *:123      .
    root  ntpd  23304  22  udp4  .
    root  ntpd  23304  23  udp4  .
    root  ntpd  23304  20  udp6    *:123    .
    root  ntpd  23304  24  udp6    ::1:123  .

    And the relevant lines from my /usr/local/etc/php-fpm.conf file

    listen = /var/run/php-fpm.socket

    And the open sockets

    root  php-fpm  292  5  udp4  .    .
    root  php-fpm  291  5  udp4  .    .
    root  php-fpm  290  5  udp4  .    .
    root  php-fpm  289  5  udp4  .    .
    root  php-fpm  292  5  udp6  .    .
    root  php-fpm  291  5  udp6  .    .
    root  php-fpm  290  5  udp6  .    .
    root  php-fpm  289  5  udp6  .    .

    Netstat -nl shows

    udp4  0  0    .
    udp4  0  0  .

    So nothing listening on all ports. Is this just an artifact of how diag_sockets displays socket information?  It seems *:123 should mean ntpd is listening on all inyerfaces on port 123. Also I can't fully trust the netstat output because it doesn't show nginx listening on 443 and 80 despite an active web connection which will have to be a question for another day. But I am very confused how and why ntpd and php-fpm show as listening on all interfaces when the conf files show them as restricted to the lan for ntpd and a local unix file socket for php-fpm.
    Can anyone shed any light on this?

  • Some relevant syslog entries

    Ntpd[22379]: Listen and drop on 0 v6wildcard [::]:123
    Ntpd[22379]: Listen and drop on 1 v4wildcard
    Ntpd[22379]: Listen normally on 2 em1
    Ntpd[22379]: Listen normally on 3 lo0
    Ntpd[22379]: Listen normally on 4 lo0 [::]:123
    Ntpd[22379]: Listening on routing socket on fd #25 for interface updates

    While I'm glad ntpd is dropping packets on the wan interface, I'd rather it wasn't listening at all. I deleted the "interface drop all" line from the conf file for that very reason and yet ntpd is ignoring its own conf.

  • Banned

    You cannot do any such thing with ntpd because the upstream is just moronic and completely hopeless.

    ntpd currently binds always to wildcard for two purposes:

    • avoid running multiple times (detected be EADDRINUSE)
    • prevent other applications from binding to that port (somewhat defeated by
      the -I directive)

    ntpd will bind to wildcard, but will drop all packets received on it:
    21 Jan 21:26:14 ntpd[30070]: Listen and drop on 0 v4wildcard

    Binding to the wildcard address cannot be avoided. communication via wildcard
    is not done (except for very peculiar OS variants).

  • Thanks for the info, but I did find a way. I added "interface ignore wildcard" to ntpd.conf and Hallelulia it works! That only leaves php-fpm. Any ideas on that one?

Log in to reply