Configuring ntpd and php-fpm to only listen on lan interface
I want to make sure that no services are listening on the wan interface for security reasons and I have run into some puzzling obstacles.
The relevant lines from my /var/etc/ntpd.conf
interface listen 127.0.0.1
interface listen 192.168.1.1
However the diag_sockets.php page on the webgui shows ntp listening as below
root ntpd 23304 21 udp4 *:123 .
root ntpd 23304 22 udp4 192.168.1.1:123 .
root ntpd 23304 23 udp4 127.0.0.1:123 .
root ntpd 23304 20 udp6 *:123 .
root ntpd 23304 24 udp6 ::1:123 .
And the relevant lines from my /usr/local/etc/php-fpm.conf file
listen = /var/run/php-fpm.socket
And the open sockets
root php-fpm 292 5 udp4 . .
root php-fpm 291 5 udp4 . .
root php-fpm 290 5 udp4 . .
root php-fpm 289 5 udp4 . .
root php-fpm 292 5 udp6 . .
root php-fpm 291 5 udp6 . .
root php-fpm 290 5 udp6 . .
root php-fpm 289 5 udp6 . .
Netstat -nl shows
udp4 0 0 127.0.01.123 .
udp4 0 0 192.168.1.1.123 .
So nothing listening on all ports. Is this just an artifact of how diag_sockets displays socket information? It seems *:123 should mean ntpd is listening on all inyerfaces on port 123. Also I can't fully trust the netstat output because it doesn't show nginx listening on 443 and 80 despite an active web connection which will have to be a question for another day. But I am very confused how and why ntpd and php-fpm show as listening on all interfaces when the conf files show them as restricted to the lan for ntpd and a local unix file socket for php-fpm.
Can anyone shed any light on this?
Some relevant syslog entries
Ntpd: Listen and drop on 0 v6wildcard [::]:123
Ntpd: Listen and drop on 1 v4wildcard 0.0.0.0:123
Ntpd: Listen normally on 2 em1 192.168.1.1:123
Ntpd: Listen normally on 3 lo0 127.0.0.1:123
Ntpd: Listen normally on 4 lo0 [::]:123
Ntpd: Listening on routing socket on fd #25 for interface updates
While I'm glad ntpd is dropping packets on the wan interface, I'd rather it wasn't listening at all. I deleted the "interface drop all" line from the conf file for that very reason and yet ntpd is ignoring its own conf.
You cannot do any such thing with ntpd because the upstream is just moronic and completely hopeless.
ntpd currently binds always to wildcard for two purposes:
- avoid running multiple times (detected be EADDRINUSE)
- prevent other applications from binding to that port (somewhat defeated by
the -I directive)
ntpd will bind to wildcard, but will drop all packets received on it:
21 Jan 21:26:14 ntpd: Listen and drop on 0 v4wildcard 0.0.0.0:123
Binding to the wildcard address cannot be avoided. communication via wildcard
is not done (except for very peculiar OS variants).
Thanks for the info, but I did find a way. I added "interface ignore wildcard" to ntpd.conf and Hallelulia it works! That only leaves php-fpm. Any ideas on that one?