Is there any ntpd that can be configured to listen to selected interfaces only?

Question

My situation is, that I configure many virtual network interfaces for virtual machines and some of my networks do even have two or more addresses. I don't need ntpd to listen to all these interfaces, but there seems no option to restrict the interfaces ntpd tries to bind to. Besides all these "security" options in ntpd, for a system administrator, who knows his environment, the best security option is not to listen at all to interfaces. For example it would be more secure not to listen to external interfaces at all, but to restrict access through ntp configuration.

Is there any ntpd software known that can be configured to listen only to selected interfaces (as any network daemon should)?

Answer 1

There are two easy ways to do this, both documented in the official ntp documentation:

• Use the -I command line option for ntpd invocation

  -I [address | interface name]
  
        Open the network address given, or all the addresses associated
        with the given interface name.  This option may appear multiple
        times.  This option also implies not opening other addresses,
        except wildcard and local‐ host.  This option is deprecated.
        Please consider using the configuration file interface command,
        which is more versatile.
  

  From ntp's documentation on command line options for ntpd

• Use the interface directive in ntp.conf:

  interface [listen | ignore | drop] [all | ipv4 | ipv6 | wildcard | name |
             address[/prefixlen]]
  
        This command controls which network addresses ntpd opens, and
        whether input is dropped without processing. The first parameter
        determines the action for addresses which match the second
        parameter. That parameter specifies a class of addresses, or a
        specific interface name, or an address. In the address case,
        prefixlen determines how many bits must match for this rule to
        apply. ignore prevents opening matching addresses, drop causes
        ntpd to open the address and drop all received packets without
        examination. Multiple interface commands can be used. The last
        rule which matches a particular address determines the action
        for it. interface commands are disabled if any -I, --interface,
        -L, or --novirtualips command-line options are used. If none of
        those options are used and no interface actions are specified
        in the configuration file, all available network addresses are
        opened. The nic command is an alias for interface.
  

  From ntp's documentation on misc configuration options: