NTP Config Question



  • I have my pfsense box running as my networks NTP server. As I also have pfblockerng-devel installed I subsequently have the VIP 10.10.10.1. And I recently noticed that ntpd is listening on that VIP address, thus I was wondering is there any way to stop this? I get that it is not technically a bad thing but still, tried doing it via the GUI and couldn't figure out a way so I tried directly modifying the conf file but every time things were restarted all my changes were undone.

    Also while I have things set to block all IPv6 traffic regardless ntpd is also listening on it, is there any way to have it only use IPv4?


  • Netgate Administrator

    You can add ACLs to restrict what it responds to from different subnets but there's no way to select which IPs the daemon listens on from the GUI.
    As you say though it shouldn't really matter if you have appropriate firewall rules in place.

    Steve



  • I already have ACLs in place that pass all internal NTP traffic regardless of its destination to a specific internal address on my network, which is not the VIP, so technically it shouldn't be able to respond to queries as it won't be getting any. Just kind of annoying that I have to use resources to prevent things from going to it while its also using resources and all this could be avoided by something as simple as cutting it off at the source. With that said I did notice that the VIP address does occasionally make outbound request to get time information and I have tried to put ACLs in place on both the LAN and WAN side to prevent this but I can not seem to get it trigger the rule, any suggestion?

    And while there isn't a means to get it to stop using the VIP address is there a way to at least tell it not to use IPv6?


  • Netgate Administrator

    If you need to prevent outbound traffic from the VIP that would have to be a floating rule set to the appropriate interface and direction out. That's the only place you can block/deny outbound.

    Steve



  • Sure, but what I think is happening is that it is occurring on the WAN interface so the firewall rules are seeing as it is coming from my public IP address while its actually the 10.10.10.1 address that is making the call. And I can see this in the state table as it list the VIP as the original source. So seeing as I can't just have a blanket outbound rule on my WAN blocking anything to port 123 I am not sure how to configure the rule in a way that only gets triggered when its VIP address making the request. Any suggestions would be greatly appreciated.


  • Netgate Administrator

    You could just disable outbound NAT that IP and won't be able to make any outbound connections. You could block it as well then to be double sure.

    Steve



  • But if I just flat out disable Outbound NAT how do I make so the other stuff on my network can get out, as I assume just like the VIP is doing any device on my network that is making such a connection is ultimately getting NATted as well.


  • Netgate Administrator

    You can just disable it for 10.10.10.1.

    Set outbound NAT to hybrid mode.

    Add a new rule. WAN. Check 'do not nat'. Source: 10.10.10.1.

    Steve



  • Thanks. I disabled NAT for it and set up a floating ACL to block it from making an outboud connection. Which appears to have worked as I no longer see the occasional entry for it in the state table and its showing stuff in the states column on the firewall rule page. However it is not showing any entries of the rule being triggered in the firewall log page, is that normal? Also, not a result of this, but I occasionally see entries in the NTP log page that say something like some IP address local addr 10.10.10.1 -> <null> any idea what this is about?

    Lastly so I guess there is currently no way to get NTP to not listen/use IPv6?


  • LAYER 8 Global Moderator

    @jchud said in NTP Config Question:

    Lastly so I guess there is currently no way to get NTP to not listen/use IPv6?

    If you have IPv6 connectivity, and you just use fqdn for your ntp, and they get back AAAA then yeah they would connect via ipv6.

    But you sure can prevent clients on your end from using ipv6 to talk to your ntp server.. And if you don't want stuff to use ipv6.. Why do you have it enabled in the first place?


  • Netgate Administrator

    Can we see that actual NTP log line?

    You won't see that traffic blocked in the firewall log unless you enabled logging in the floating rule.

    If IPs exist ntpd will listen on them including IPv6.

    Steve



  • @johnpoz I have all IPv6 traffic blocked by the firewall plus do not have a gateway configured for it, nor a DHCP server configured to hand address for it, my wireless access point has as much disabled about it as I can, and all my LAN devices that I could I disabled it as well. If there is more I can do on the pfSense box that I can do to turn it off let me know. But for the time being when I look at the open sockets on pfSense it list ntpd as listening on like the IPv6 loopback address.



  • @stephenw10 I will post a copy of that line from the log file later, as I currently do not have access to it. In the meantime how do I enable logging in the floating rule, because all I saw was to "log the packet that triggered rule" and I don't specifically need to keep a copy of the packet itself? And I guess then that since I can't exactly disable pfSense from creating link local IPv6 addresses there is no way to stop ntpd from using them, would be nice though if there was like a flag that could be added to the config file or as part of the command that launches ntpd which specifies a specific version for it use.


  • Netgate Administrator

    That option just enables logging on the firewall rule. You will see traffic blocked by that rule in the firewall log. It doesn't store packets in any way.

    Steve



  • @stephenw10 Oh ok my bad I thought checking that box would log the packet itself and thus the setting to have it log when the rule is triggered was somewhere else.


  • LAYER 8 Global Moderator

    @jchud said in NTP Config Question:

    it list ntpd as listening on like the IPv6 loopback address.

    Yeah so.. even if you disabled ipv6 the loopback would still be there. Its almost impossible to git rid of the loopback ipv6 address "::1" as this is linked into the OS at very low level.

    If your not creating a ip6 enabled on your lan, and don't have RA running there is no way clients to get an IPb6 address. Sure they could still have loopback, and even a link local maybe depending how you disabled ipv6 exactly.. But client not going to be able to use ipv6 to talk to your ntp server.



  • @johnpoz Yeah kind of what I figured, was just hoping there was some kind of way to tell ntpd to ignore using it anyway.


  • Netgate Administrator

    I could see it being rejected because all services on the firewall are limited by the firewall rules rather where they listen but you could open a feature request for it:
    https://redmine.pfsense.org

    Steve


  • LAYER 8 Global Moderator

    @jchud said in NTP Config Question:

    was just hoping there was some kind of way to tell ntpd to ignore using it anyway.

    Why? Not understanding the point..

    I just looked at the ntp conf created when you only list specific interfaces to list, and it is placing the ignore all and wildcard statements in the ntpd.conf

    But still lists listening on ::1, but not sure why it matters? Not like something can talk to that.



  • @johnpoz More of a if its not needed/being used why have it even running as such anyway type ideology.


  • LAYER 8 Global Moderator

    I hear you - but ::1, has been been tied into the os at such a level.. I don't see how you could stop it. Like I said even when you disable ipv6 your still going to see that there.

    They might be able to change ntp to be bound to IP vs the interface to remove that... But then your going to run into issues if user changes the interface IP for some reason that ntp is suppose to be listening on.

    if you look at the conf being created you can see how they tell ntp to ignore all and wildcard, and then just calls out the interfaces you have highlighted to listen on in the gui

    interface ignore all
    interface ignore wildcard
    interface listen igb3
    interface listen igb0
    interface listen igb2
    interface listen igb2.4
    interface listen igb5
    


  • @johnpoz Yeah complete aware of all that. Was just kind of hoping there was something like adding a -v4 flag to the ntpd command or in the conf file (though I guess in the case it would be more like "interface ignore IPv6") type deal. Not to mention any time I make a manual change to the conf file it just gets rolled back to whatever is set via the GUI following a restart of service or pfSense.


  • LAYER 8 Global Moderator

    yeah you would have to change system.inc file



  • @johnpoz said in NTP Config Question:

    If you have IPv6 connectivity, and you just use fqdn for your ntp, and they get back AAAA then yeah they would connect via ipv6.
    But you sure can prevent clients on your end from using ipv6 to talk to your ntp server.. And if you don't want stuff to use ipv6.. Why do you have it enabled in the first place?

    Wouldn't it be easier to configure DNS to provide only an IPv4 address? If there are no AAAA records from the DNS, then the client can't use them. In my DNS I have to specify both IPv4 and IPv6 addresses for each host name.


  • LAYER 8 Global Moderator

    Exactly if dns does not return AAAA then client would never try and access IPv6 because it wouldn't know where to go..

    I think the OP is more concerned that ntp is showing to be listening on ::1, vs any sort of actual issue.

    On linux you could prob do something like ntpd_opts with -4 -g or the like, but I don't think that works with freebsd..



  • @johnpoz said in NTP Config Question:

    I think the OP is more concerned that ntp is showing to be listening on ::1

    I'm trying to imagine how that would be a problem. Not having much luck.


  • LAYER 8 Global Moderator

    hehe on that we can agree ;)



  • As far as I know my pfSense box, which is running the DNS Resolver, is not giving out any records for IPv6 addresses. And I am not specifically saying that there is a problem, issue, or security thing with NTP listening on the ::1 or any IPv6 address simply that as a preference that if I am not using IPv6 at all on my network why having anything even remotely listening on it.


  • LAYER 8 Global Moderator

    @jchud said in NTP Config Question:

    am not using IPv6 at all on my network why having anything even remotely listening on it.

    And again - the ipv6 stack is so integrated into the OS these days, your still going to see the base stuff like the ipv6 loopback ::1,

    If your pfsense doesn't have any actual IPv6 addresses on it, nor your firewall allowing it - then nothing is going to be able to use ntp via ipv6 or anything else via ipv6. But your not going to be able to get rid of stuff listening on ipv6 loopback..

    My windows box has NO ipv6 addresses.. not even linklocal, ipv6 is disabled on it - but still shows the network stack with stuff listening on ipv6

      UDP    [::]:123               *:*
      UDP    [::]:500               *:*
      UDP    [::]:3389              *:*
      UDP    [::]:3702              *:*
      UDP    [::]:3702              *:*
      UDP    [::]:3702              *:*
      UDP    [::]:3702              *:*
      UDP    [::]:3838              *:*
      UDP    [::]:4500              *:*
      UDP    [::]:49670             *:*
      UDP    [::]:58936             *:*
      UDP    [::]:59263             *:*
      UDP    [::]:61468             *:*
      UDP    [::1]:123              *:*
      UDP    [::1]:1900             *:*
      UDP    [::1]:5353             *:*
      UDP    [::1]:55844            *:*
    


  • @johnpoz I know but if I can disable/configure something not to use it, especially if I do not need it to, then that would be preferable that is all. I am well aware that things like IPv6 are so integrated into OS and what not now a days so it is extremely difficult to disable/get rid off completely. Like I said if I can then great if not then so be it.


  • LAYER 8 Global Moderator

    You can not get rid of ::1, and no you can get rid of stuff being shown to listen on it. But again it doesn't matter..

    Here my cisco switch that has ZERO setup for ipv6 on it - still shows its ssh and http services listening on ipv6 ;)

    sg300-28#sho services tcp-udp
    Type  Local IP address       Remote IP address      Service name  State
    ----  ---------------------  ---------------------  ------------  -----------
    
    TCP   All:22                 All:0                  SSH           listen    
    TCP   All:80                 All:0                  HTTP          listen    
    TCP   All:443                All:0                  HTTPS         listen    
    TCP   192.168.9.99:22        192.168.9.100:50737    SSH           established
    TCP6  All-22                 All-0                  SSH           listen    
    TCP6  All-80                 All-0                  HTTP          listen    
    TCP6  All-443                All-0                  HTTPS         listen    
    UDP   All:123                                       
    UDP   All:161                                       SNMP
    UDP   All:5353                                      Bonjour
    UDP6  All-123                                       
    UDP6  All-161                                       SNMP
    sg300-28#
    


  • @johnpoz Ok great like I said if it could be done then great (in this case the with NTP daemon) and if not that is just fine to. Because I totally agree it does not matter, regardless of the service, was simply curious if NTP had a way to be configured as such.


  • LAYER 8 Global Moderator

    you are suppose to be able to do a ntpd_opts and call out only ipv4.. so it doesn't show it listening on ipv6, even the loopback... But it doesn't work with freebsd from my understanding... Here it works on linux for example.

    pi@pi-hole:~ $ netstat -an | grep .123
    udp        0      0 192.168.3.10:123        0.0.0.0:*                          
    udp        0      0 127.0.0.1:123           0.0.0.0:*                          
    udp        0      0 0.0.0.0:123             0.0.0.0:*                          
    udp6       0      0 fe80::5680:ff38:68f:123 :::*                               
    udp6       0      0 ::1:123                 :::*                               
    udp6       0      0 :::123                  :::*              
    

    I then set ntpd_opts to -4

    pi@pi-hole:/etc/default $ cat /etc/default/ntp
    NTPD_OPTS='-4 -g'
    

    restart ntp and no more ipv6 in ntp

    pi@pi-hole:/etc/default $ netstat -an | grep .123
    udp        0      0 192.168.3.10:123        0.0.0.0:*                          
    udp        0      0 127.0.0.1:123           0.0.0.0:*                          
    udp        0      0 0.0.0.0:123             0.0.0.0:*   
    


  • @johnpoz Thanks for that and good to know, still sucks about it not working in freebsd though.



  • @johnpoz Just wanted to say thanks for all your help. Took your advice and looked at the system.inc, ntpd_opts, etc and was able to have it stop listening on both all IPv6 and a VIP address. Which in turn let me get rid of some NAT and firewall rules I had in place. Not to mention I was then able to extend this same principal one step further and got sshd not to listen on IPv6 as well.


  • LAYER 8 Global Moderator

    What exactly did you alter in system.inc, I tried adding the ntpd_opts in to the ntpd.conf file that gets written and it doesn't seem to do anything.. It was still listening on ipv6 addresses... Did you also alter to only bind to the IPs specific vs the interface, I didn't try that.

    Glad you got it sorted how you want.. If it is working on freebsd, pfsense could prob be easy altered in the gui to allow for such configs.. Feature request should hope get the dev's to take a look see, etc.



  • @johnpoz If you look at the freebsd man page for ntp.conf under the "Miscellaneous Options" where it talks about interface, along with the options to listen/ignore/drop there are options for all/ipv4/ipv6/wildcard. So I simply added a line that would be placed at the bottom of the conf file that said "interface ignore ipv6". And as far as the VIP goes I added the same thing just swapping out the last part for 10.10.10.1. In regards to the sshd I did basically the same thing, of course referencing its specific man page, making it so that the ssh config file had the line "AddressFamily inet" to it which forces it to only use IPv4 address.


  • LAYER 8 Global Moderator

    @jchud said in NTP Config Question:

    "interface ignore ipv6".

    Ah so the ntpd_opts doesn't work, but that does... slick..



  • @johnpoz Yep, what can say with over 10 years of IT experience at the enterprise level the key skill you pick up is that when it comes to the little things where there is a will there is a way you just have to care enough to find it. The one thing I did notice though is I had to make sure it got added to the end of the conf file because if I added it at the beginning it did not work for some reason.


  • LAYER 8 Global Moderator

    hmmm should work anywhere in the config, and would think top would be better.. But will give it a try.. Problem is editing the system.inc file will get overwritten on the next update.. So you would really need to create a patch for this that can get reapplied, or best is to get it put into the gui as a check box sort of thing.


Log in to reply