HPE Community
Operating System - HP-UX
1820395 Members
3221 Online
109623 Solutions
New Discussion юеВ

Let NTP listen only to one interface

 
Catia Lavalle
Occasional Advisor

тАО04-01-2008 03:01 AM

тАО04-01-2008 03:01 AM

Let NTP listen only to one interface

Hallo,

I have a machine which serves as NTP server. This machine has more (3) Network interfaces (+ loopback). By default NTP "binds" itself to all available interfaces, i.e. it listens on port 123 on all interfaces:

netstat -an|grep 123
udp 0 0 127.0.0.1.123 *.*
udp 0 0 1.2.3.4.123 *.*
udp 0 0 *.123 *.*
udp 0 0 1.2.5.4.123 *.*
udp 0 0 1.2.6.4.123 *.*

I would like to "bind" NTP to only one interface, say the 1.2.3.4. Is it possible? I do not find any hint on the net.

Thanks.

p.s. I am interested in a solution for linux and (expecially) HP-UX, in case of OS dependency.
0 Kudos
Reply
3 REPLIES 3
Matti_Kurkela
Honored Contributor

тАО04-01-2008 05:58 AM

тАО04-01-2008 05:58 AM

Re: Let NTP listen only to one interface

As far as I know, no version of (x)ntpd can do this.

As an alternative, you could use the "restrict" directive in /etc/ntp.conf file to make the NTP server ignore any communication that comes from the unauthorized interfaces. For example, to allow 1.2.3.4 and loopback only, you might add this to /etc/ntp.conf:

# no restrictions for loopback...
restrict 127.0.0.1 mask 255.0.0.0
# no restrictions for 1.2.3.0/24
restrict 1.2.3.4 mask 255.255.255.0
# everything else is ignored
restrict default ignore

The usage of the "restrict" keyword is not completely obvious: see the NTP documentation for details.
http://www.eecis.udel.edu/~mills/ntp/html/accopt.html

(Apparently some versions of [x]ntpd may allow or even require omitting the "mask" keyword from the "restrict" lines.)

Another option would be to use the system's TCP/IP filtering features (Linux: iptables, HP-UX: optional ipfilter package from software.hp.com). This will not change the behaviour of ntpd, but it will prevent the connections from unauthorized networks from even touching ntpd.

MK
MK
0 Kudos
Reply
Catia Lavalle
Occasional Advisor

тАО04-01-2008 09:10 PM

тАО04-01-2008 09:10 PM

Re: Let NTP listen only to one interface

Thanks, the first sentence answered my question.
I use "restrict", but it does not differenciate between queries on different local interfaces.
Using firewall restriction would be an idea, although not optimal.

Anyway if you say that there is no way to bind NTP to just one interface ....
0 Kudos
Reply
BUPA IS
Respected Contributor

тАО04-02-2008 02:53 AM

тАО04-02-2008 02:53 AM

Re: Let NTP listen only to one interface

Hello,
You might be able to exploit the fact that it only binds to the interfaces at start-up time .
Not very pretty but you could stop the other interfaces comming up then start ntp then start the rest , or during rc2 ifconfig the ones you don't want down before ntp start then start ntp and then the other interfaces.

Have a read of this open development issue :

http://support.ntp.org/bin/view/Dev/NtpdAndNetworkSockets Perhaps you could contribute to it .
Help is out there always!!!!!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.