Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disable NTP Server of 2.0.2?

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 4 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      srynoname
      last edited by

      For security reasons I want to disable the NTP server on my pfsense 2.0.2 installation / let it listen on no interface, however in 2.0.2, if no interface is selected, it will listen on all interfaces according to http://blog.pfsense.org/?p=676:

      NOTE: ntpd will bind/listen to all interfaces by default, and it has to in order to receive replies. You can still do selective interface binding to control which IPs will accept traffic, but be aware that the default behavior has changed.

      So, how can I disable the NTP service? Thanks :-)

      1 Reply Last reply Reply Quote 0
      • B
        biggsy
        last edited by

        From the point of view of minimizing attack surface, I sort of understand the "security reasons" but, if you only listen on LAN, for example, there is this to consider:

        http://en.wikipedia.org/wiki/Network_Time_Protocol#Security_concerns

        That said, I do think listening on all interfaces (including WAN?), if no interfaces are selected, is a bit strange.  It also seems inconsistent with use of that type of selection elsewhere (e.g., Captive Portal, RIP and OLSRD). I'm sure there would have been some reason for that choice.

        Very nice to have a real NTP included though.

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by

          @biggsy:

          That said, I do think listening on all interfaces (including WAN?), if no interfaces are selected, is a bit strange.  It also seems inconsistent with use of that type of selection elsewhere (e.g., Captive Portal, RIP and OLSRD). I'm sure there would have been some reason for that choice.

          Actually most pfSense daemons listen on all interfaces including dnsmasq, lighttpd/webGUI, syslogd, ssh etc  (check the output of sockstat -4l), and the system relies on pf to block traffic to them.

          1 Reply Last reply Reply Quote 0
          • B
            biggsy
            last edited by

            Actually most pfSense daemons listen on all interfaces …

            A fair comment.

            I was really just saying that where a selection of interfaces is offered elsewhere in the GUI "all" is not the default.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Block access to the service with firewall rules.

              This daemon requires binding/listening to at least one adapter to function as an NTP client, there isn't a way around that requirement. Blocking with firewall rules is sufficient to lock the service down.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • S
                srynoname
                last edited by

                Thank you all. I really forgot about the firewall rules  ::)

                This daemon requires binding/listening to at least one adapter to function as an NTP client

                I understand this, just not this from the blog:

                NOTE: ntpd will bind/listen to all interfaces by default, and it has to in order to receive replies.

                It does not have to bind to all interfaces, it's enough if it binds e.g. on WAN to contact the public NTP servers?

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Yes, that is enough, or if you have the usual NAT rules, binding on LAN is OK too.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.