Is there any ntpd that can be configured to listen to selected interfaces only?

8.4k views Asked by At

My situation is, that I configure many virtual network interfaces for virtual machines and some of my networks do even have two or more addresses. I don't need ntpd to listen to all these interfaces, but there seems no option to restrict the interfaces ntpd tries to bind to. Besides all these "security" options in ntpd, for a system administrator, who knows his environment, the best security option is not to listen at all to interfaces. For example it would be more secure not to listen to external interfaces at all, but to restrict access through ntp configuration.

Is there any ntpd software known that can be configured to listen only to selected interfaces (as any network daemon should)?

1

There are 1 answers

0
dfc On

There are two easy ways to do this, both documented in the official ntp documentation:

  • Use the -I command line option for ntpd invocation

    -I [address | interface name]
    
          Open the network address given, or all the addresses associated
          with the given interface name.  This option may appear multiple
          times.  This option also implies not opening other addresses,
          except wildcard and localā€ host.  This option is deprecated.
          Please consider using the configuration file interface command,
          which is more versatile.
    

    From ntp's documentation on command line options for ntpd

  • Use the interface directive in ntp.conf:

    interface [listen | ignore | drop] [all | ipv4 | ipv6 | wildcard | name |
               address[/prefixlen]]
    
          This command controls which network addresses ntpd opens, and
          whether input is dropped without processing. The first parameter
          determines the action for addresses which match the second
          parameter. That parameter specifies a class of addresses, or a
          specific interface name, or an address. In the address case,
          prefixlen determines how many bits must match for this rule to
          apply. ignore prevents opening matching addresses, drop causes
          ntpd to open the address and drop all received packets without
          examination. Multiple interface commands can be used. The last
          rule which matches a particular address determines the action
          for it. interface commands are disabled if any -I, --interface,
          -L, or --novirtualips command-line options are used. If none of
          those options are used and no interface actions are specified
          in the configuration file, all available network addresses are
          opened. The nic command is an alias for interface.
    

    From ntp's documentation on misc configuration options: