Disable NTP Server of 2.0.2?



  • For security reasons I want to disable the NTP server on my pfsense 2.0.2 installation / let it listen on no interface, however in 2.0.2, if no interface is selected, it will listen on all interfaces according to http://blog.pfsense.org/?p=676:

    NOTE: ntpd will bind/listen to all interfaces by default, and it has to in order to receive replies. You can still do selective interface binding to control which IPs will accept traffic, but be aware that the default behavior has changed.

    So, how can I disable the NTP service? Thanks :-)



  • From the point of view of minimizing attack surface, I sort of understand the "security reasons" but, if you only listen on LAN, for example, there is this to consider:

    http://en.wikipedia.org/wiki/Network_Time_Protocol#Security_concerns

    That said, I do think listening on all interfaces (including WAN?), if no interfaces are selected, is a bit strange.  It also seems inconsistent with use of that type of selection elsewhere (e.g., Captive Portal, RIP and OLSRD). I'm sure there would have been some reason for that choice.

    Very nice to have a real NTP included though.



  • @biggsy:

    That said, I do think listening on all interfaces (including WAN?), if no interfaces are selected, is a bit strange.  It also seems inconsistent with use of that type of selection elsewhere (e.g., Captive Portal, RIP and OLSRD). I'm sure there would have been some reason for that choice.

    Actually most pfSense daemons listen on all interfaces including dnsmasq, lighttpd/webGUI, syslogd, ssh etc  (check the output of sockstat -4l), and the system relies on pf to block traffic to them.



  • Actually most pfSense daemons listen on all interfaces …

    A fair comment.

    I was really just saying that where a selection of interfaces is offered elsewhere in the GUI "all" is not the default.


  • Rebel Alliance Developer Netgate

    Block access to the service with firewall rules.

    This daemon requires binding/listening to at least one adapter to function as an NTP client, there isn't a way around that requirement. Blocking with firewall rules is sufficient to lock the service down.



  • Thank you all. I really forgot about the firewall rules  ::)

    This daemon requires binding/listening to at least one adapter to function as an NTP client

    I understand this, just not this from the blog:

    NOTE: ntpd will bind/listen to all interfaces by default, and it has to in order to receive replies.

    It does not have to bind to all interfaces, it's enough if it binds e.g. on WAN to contact the public NTP servers?


  • Rebel Alliance Developer Netgate

    Yes, that is enough, or if you have the usual NAT rules, binding on LAN is OK too.


Locked