How disable ntpd on IPv6 adresses?

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue Oct 4 21:49:41 UTC 2011 

On 04/10/2011 21:37, Peter Olsson wrote:
> I hope this is the right list for this question.
> In FreeBSD 8.2, how do I make ntpd not open any
> IPv6 ports? I have searched man pages and google,
> but haven't found the answer. Some ntpd have the
> command line option -4, but that doesn't seem to
> be the case with FreeBSD ntpd.
> 
> The server runs IPv6, but ntpd will only ever be used
> with IPv4 servers, so I don't want any unnecessary
> open IPv6 ports for ntpd.
> 
> "Use restrict" or "Use a firewall" is not the answer.
> I just don't want this junk in netstat -an:
> udp6       0      0 fe80:3::1.123          *.*                    
> udp6       0      0 ::1.123                *.*                    
> udp6       0      0 x:x:x:x.123            *.*                    
> udp6       0      0 fe80:2::219:bbff.123   *.*                    
> udp6       0      0 fe80:1::219:bbff.123   *.*                    
> udp6       0      0 *.123                  *.*                    

Unfortunately you can't.  ntpd binds to every available interface when
it starts up, and there's nothing configuration-wise you can do to stop it.

However you can use 'restrict' or 'restrict -6' in ntpd.conf to ignore
any traffic via addresses you don't want NTP service on.  It doesn't
clean up your sockstat(1) output, but it does help protect your system
time from external hackery.  See
http://support.ntp.org/bin/view/Support/AccessRestrictions

I have no idea why ntpd(8) lacks this feature of binding to specified
addresses, as to my mind it should be standard for any software that can
generate network sockets.  You could try openntpd from OpenBSD which
does have control over where it will bind to (Ports: net/openntpd) --
but last I used it the degree of clock synchronization it achieved was
not as good as regular ntpd.  That was some time ago now, and the
situation may well have changed since then.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20111004/4aa99673/signature.pgp

More information about the freebsd-stable mailing list