Configuring ntpd and php-fpm to only listen on lan interface



  • I want to make sure that no services are listening on the wan interface for security reasons and I have run into some puzzling obstacles.

    The relevant lines from my /var/etc/ntpd.conf

    interface listen 127.0.0.1
    interface listen 192.168.1.1

    However the diag_sockets.php page on the webgui shows ntp listening as below

    root  ntpd  23304  21  udp4    *:123      .
    root  ntpd  23304  22  udp4  192.168.1.1:123  .
    root  ntpd  23304  23  udp4  127.0.0.1:123  .
    root  ntpd  23304  20  udp6    *:123    .
    root  ntpd  23304  24  udp6    ::1:123  .

    And the relevant lines from my /usr/local/etc/php-fpm.conf file

    listen = /var/run/php-fpm.socket

    And the open sockets

    root  php-fpm  292  5  udp4  .    .
    root  php-fpm  291  5  udp4  .    .
    root  php-fpm  290  5  udp4  .    .
    root  php-fpm  289  5  udp4  .    .
    root  php-fpm  292  5  udp6  .    .
    root  php-fpm  291  5  udp6  .    .
    root  php-fpm  290  5  udp6  .    .
    root  php-fpm  289  5  udp6  .    .

    Netstat -nl shows

    udp4  0  0  127.0.01.123    .
    udp4  0  0  192.168.1.1.123  .

    So nothing listening on all ports. Is this just an artifact of how diag_sockets displays socket information?  It seems *:123 should mean ntpd is listening on all inyerfaces on port 123. Also I can't fully trust the netstat output because it doesn't show nginx listening on 443 and 80 despite an active web connection which will have to be a question for another day. But I am very confused how and why ntpd and php-fpm show as listening on all interfaces when the conf files show them as restricted to the lan for ntpd and a local unix file socket for php-fpm.
    Can anyone shed any light on this?



  • Some relevant syslog entries

    Ntpd[22379]: Listen and drop on 0 v6wildcard [::]:123
    Ntpd[22379]: Listen and drop on 1 v4wildcard 0.0.0.0:123
    Ntpd[22379]: Listen normally on 2 em1 192.168.1.1:123
    Ntpd[22379]: Listen normally on 3 lo0 127.0.0.1:123
    Ntpd[22379]: Listen normally on 4 lo0 [::]:123
    Ntpd[22379]: Listening on routing socket on fd #25 for interface updates

    While I'm glad ntpd is dropping packets on the wan interface, I'd rather it wasn't listening at all. I deleted the "interface drop all" line from the conf file for that very reason and yet ntpd is ignoring its own conf.


  • Banned

    You cannot do any such thing with ntpd because the upstream is just moronic and completely hopeless.

    http://bugs.ntp.org/show_bug.cgi?id=2996#c1

    ntpd currently binds always to wildcard for two purposes:

    • avoid running multiple times (detected be EADDRINUSE)
    • prevent other applications from binding to that port (somewhat defeated by
      the -I directive)

    ntpd will bind to wildcard, but will drop all packets received on it:
    21 Jan 21:26:14 ntpd[30070]: Listen and drop on 0 v4wildcard 0.0.0.0:123

    Binding to the wildcard address cannot be avoided. communication via wildcard
    is not done (except for very peculiar OS variants).

    http://support.ntp.org/bin/view/Dev/NtpdAndNetworkSockets
    http://bugs.ntp.org/show_bug.cgi?id=2996
    http://bugs.ntp.org/show_bug.cgi?id=2637
    http://bugs.ntp.org/show_bug.cgi?id=983
    http://bugs.ntp.org/show_bug.cgi?id=214



  • Thanks for the info, but I did find a way. I added "interface ignore wildcard" to ntpd.conf and Hallelulia it works! That only leaves php-fpm. Any ideas on that one?