• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Disable NTP Server of 2.0.2?

Scheduled Pinned Locked Moved General pfSense Questions
7 Posts 4 Posters 6.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    srynoname
    last edited by Dec 22, 2012, 12:30 PM

    For security reasons I want to disable the NTP server on my pfsense 2.0.2 installation / let it listen on no interface, however in 2.0.2, if no interface is selected, it will listen on all interfaces according to http://blog.pfsense.org/?p=676:

    NOTE: ntpd will bind/listen to all interfaces by default, and it has to in order to receive replies. You can still do selective interface binding to control which IPs will accept traffic, but be aware that the default behavior has changed.

    So, how can I disable the NTP service? Thanks :-)

    1 Reply Last reply Reply Quote 0
    • B
      biggsy
      last edited by Dec 22, 2012, 9:59 PM Dec 22, 2012, 9:57 PM

      From the point of view of minimizing attack surface, I sort of understand the "security reasons" but, if you only listen on LAN, for example, there is this to consider:

      http://en.wikipedia.org/wiki/Network_Time_Protocol#Security_concerns

      That said, I do think listening on all interfaces (including WAN?), if no interfaces are selected, is a bit strange.  It also seems inconsistent with use of that type of selection elsewhere (e.g., Captive Portal, RIP and OLSRD). I'm sure there would have been some reason for that choice.

      Very nice to have a real NTP included though.

      1 Reply Last reply Reply Quote 0
      • D
        dhatz
        last edited by Dec 22, 2012, 10:31 PM

        @biggsy:

        That said, I do think listening on all interfaces (including WAN?), if no interfaces are selected, is a bit strange.  It also seems inconsistent with use of that type of selection elsewhere (e.g., Captive Portal, RIP and OLSRD). I'm sure there would have been some reason for that choice.

        Actually most pfSense daemons listen on all interfaces including dnsmasq, lighttpd/webGUI, syslogd, ssh etc  (check the output of sockstat -4l), and the system relies on pf to block traffic to them.

        1 Reply Last reply Reply Quote 0
        • B
          biggsy
          last edited by Dec 22, 2012, 10:42 PM

          Actually most pfSense daemons listen on all interfaces …

          A fair comment.

          I was really just saying that where a selection of interfaces is offered elsewhere in the GUI "all" is not the default.

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Dec 22, 2012, 11:57 PM

            Block access to the service with firewall rules.

            This daemon requires binding/listening to at least one adapter to function as an NTP client, there isn't a way around that requirement. Blocking with firewall rules is sufficient to lock the service down.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • S
              srynoname
              last edited by Dec 23, 2012, 10:40 AM

              Thank you all. I really forgot about the firewall rules  ::)

              This daemon requires binding/listening to at least one adapter to function as an NTP client

              I understand this, just not this from the blog:

              NOTE: ntpd will bind/listen to all interfaces by default, and it has to in order to receive replies.

              It does not have to bind to all interfaces, it's enough if it binds e.g. on WAN to contact the public NTP servers?

              1 Reply Last reply Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Dec 23, 2012, 3:05 PM

                Yes, that is enough, or if you have the usual NAT rules, binding on LAN is OK too.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received