Ntp and interface binding
So about the listening on interfaces thing.
About a question of only listening on specific interfaces.
I see this
This is fixed in newer versions, I suggest you try 4.2.6p5 or ntp-dev.
Support for truly restricting listening interfaces with "interface"
(AKA "nic") in ntp.conf was introduced late in the 4.2.5 cycle.
Something like the following should work for you:
interface ignore all
interface listen eth0
That should result in ntpd using only v4/v6 localhost and eth0's v4/v6
But I show the version of ntpd we are using as 4.2.4p5-a – why can we not just upgrade the binary?
ntp-4.2.6p5.tbz 2012-Mar-09 11:38:18 1.5M application/x-bzip-compressed-tar
ntp-4.2.7p255.tbz 2012-Mar-09 11:39:42 1.7M application/x-bzip-compressed-tar
so I just installed the 4.2.7p255
interface ignore all
to my ntp.conf and restarted the 4.2.7p255 binary in /usr/local/sbin
now it seems to be only listening on my lan interface em0.
May 15 16:43:27 ntpd: peers refreshed
May 15 16:43:27 ntpd: Listen normally on 6 lo0 [::1]:123
May 15 16:43:27 ntpd: Listen normally on 5 lo0 127.0.0.1:123
May 15 16:43:27 ntpd: Listen normally on 4 em0 [2001:470:<snipped>:b85::1]:123
May 15 16:43:27 ntpd: Listen normally on 3 em0 [fe80::250:56ff:fe00:2%1]:123
May 15 16:43:27 ntpd: Listen normally on 2 em0 192.168.1.253:123
May 15 16:43:27 ntpd: Listen and drop on 1 v6wildcard [::]:123
May 15 16:43:27 ntpd: Listen and drop on 0 v4wildcard 0.0.0.0:123
May 15 16:43:27 ntpd: proto: precision = 1.955 usec (-19)
May 15 16:43:27 ntpd: ntpd email@example.com Fri Mar 9 16:39:06 UTC 2012 (1)</snipped>
see my edit – just installed the 4.2.7 and the interface commands work from what I can tell.
interface [listen | ignore | drop] [all | ipv4 | ipv6 | wildcard | name | address[/prefixlen]]
This command controls which network addresses ntpd opens, and whether input is dropped without processing. The first parameter determines the action for addresses which match the second parameter. That parameter specifies a class of addresses, or a specific interface name, or an address. In the address case, prefixlen determines how many bits must match for this rule to apply. ignore prevents opening matching addresses, drop causes ntpd to open the address and drop all received packets without examination. Multiple interface commands can be used. The last rule which matches a particular address determines the action for it. interface commands are disabled if any -I, –interface, -L, or --novirtualips command-line options are used. If none of those options are used and no interface actions are specified in the configuration file, all available network addresses are opened. The nic command is an alias for interface.
Looks promising, though if it works in 4.2.6p5 that would be preferable as their site labels 4.2.7 as development and 4.2.6 as production.
Added ntp 4.2.6p5 to the snapshots, didn't active it yet in the gui, we'll see what happens when they come out and I can experiment.
ok, selective interface binding is back! It may not show up until tomorrow's snapshots because one was already building when I committed it. But a gitsync would pull it in.
Might need some testing to ensure it's doing the right thing. From the logs and sockstat output it appeared to be working as expected, but some other input would be helpful.
It would also be helpful to know if, under Status > NTP, you get an active peer with interface binding setup. I still did, but I'm curious to know if anyone has issues.