NTP Config Question

jchud

@johnpoz Ok great like I said if it could be done then great (in this case the with NTP daemon) and if not that is just fine to. Because I totally agree it does not matter, regardless of the service, was simply curious if NTP had a way to be configured as such.

johnpoz

you are suppose to be able to do a ntpd_opts and call out only ipv4.. so it doesn't show it listening on ipv6, even the loopback... But it doesn't work with freebsd from my understanding... Here it works on linux for example.

pi@pi-hole:~ $ netstat -an | grep .123
udp        0      0 192.168.3.10:123        0.0.0.0:*                          
udp        0      0 127.0.0.1:123           0.0.0.0:*                          
udp        0      0 0.0.0.0:123             0.0.0.0:*                          
udp6       0      0 fe80::5680:ff38:68f:123 :::*                               
udp6       0      0 ::1:123                 :::*                               
udp6       0      0 :::123                  :::*              

I then set ntpd_opts to -4

pi@pi-hole:/etc/default $ cat /etc/default/ntp
NTPD_OPTS='-4 -g'

restart ntp and no more ipv6 in ntp

pi@pi-hole:/etc/default $ netstat -an | grep .123
udp        0      0 192.168.3.10:123        0.0.0.0:*                          
udp        0      0 127.0.0.1:123           0.0.0.0:*                          
udp        0      0 0.0.0.0:123             0.0.0.0:*   

jchud

@johnpoz Thanks for that and good to know, still sucks about it not working in freebsd though.

jchud

@johnpoz Just wanted to say thanks for all your help. Took your advice and looked at the system.inc, ntpd_opts, etc and was able to have it stop listening on both all IPv6 and a VIP address. Which in turn let me get rid of some NAT and firewall rules I had in place. Not to mention I was then able to extend this same principal one step further and got sshd not to listen on IPv6 as well.

johnpoz

What exactly did you alter in system.inc, I tried adding the ntpd_opts in to the ntpd.conf file that gets written and it doesn't seem to do anything.. It was still listening on ipv6 addresses... Did you also alter to only bind to the IPs specific vs the interface, I didn't try that.

Glad you got it sorted how you want.. If it is working on freebsd, pfsense could prob be easy altered in the gui to allow for such configs.. Feature request should hope get the dev's to take a look see, etc.

jchud

@johnpoz If you look at the freebsd man page for ntp.conf under the "Miscellaneous Options" where it talks about interface, along with the options to listen/ignore/drop there are options for all/ipv4/ipv6/wildcard. So I simply added a line that would be placed at the bottom of the conf file that said "interface ignore ipv6". And as far as the VIP goes I added the same thing just swapping out the last part for 10.10.10.1. In regards to the sshd I did basically the same thing, of course referencing its specific man page, making it so that the ssh config file had the line "AddressFamily inet" to it which forces it to only use IPv4 address.

johnpoz

@jchud said in NTP Config Question:

"interface ignore ipv6".

Ah so the ntpd_opts doesn't work, but that does... slick..

jchud

@johnpoz Yep, what can say with over 10 years of IT experience at the enterprise level the key skill you pick up is that when it comes to the little things where there is a will there is a way you just have to care enough to find it. The one thing I did notice though is I had to make sure it got added to the end of the conf file because if I added it at the beginning it did not work for some reason.

johnpoz

hmmm should work anywhere in the config, and would think top would be better.. But will give it a try.. Problem is editing the system.inc file will get overwritten on the next update.. So you would really need to create a patch for this that can get reapplied, or best is to get it put into the gui as a check box sort of thing.

jchud

@johnpoz I agree and it probably was something I was simply over looking as it late last night when I was trying all this. And yes doing it this way means that it will get over written on a update and what not but one step at a time; first we get it to work then worry about how to make it carry over .

jchud

So apparently their is a -L flag that can be used when executing the command to start the NTP daemon which will tell it not to listen on VIPs. However for this to work as such the alias for the VIP must have a colon in the name (which if you ask me is a very weird condition). Not to mention that they came its been depreciated and thus more preferable to use the -I flag to directly and more explicitly specify the exact interface(s)/IP(s) you want it to listen on.

Just out of curiosity though if we can directly specify these things as part of the command to run NTP versus building a config file, putting these values into it, telling NTP to get that info from the config file, etc would it not just be easier/more efficient to build it all into a single command and have it run as such from the get go?