For the last few years, I have been using net/openntpd instead of FreeBSD's base ntpd(8), exclusively because of the latter's tendency to bind to all available interfaces and addresses, and its inability to be configured in a way that it binds to specific IP address. Things have changed recently, however, and it appears that from FreeBSD 11.1 onwards we can specify ntpd's listen IP address(es). The following article explains how to bind FreeBSD's base ntpd to single IPv4 address, and IPv4 loopback address.

Setting default NTP server in FreeBSD is easy. Just add ntpd_enable="YES" to rc.conf and start the daemon with service ntpd start and you are good to go. But, if you intend to use jails, you will need to do a few more things. "EXAMPLES" section of jail(8), under "Setting up the Host Environment" reads:

First, set up the real system's environment to be "jail-friendly". For consistency, we will refer to the parent box as the "host environment", and to the jailed virtual machine as the "jail environment". Since jails are implemented using IP aliases, one of the first things to do is to disable IP services on the host system that listen on all local IP addresses for a service. If a network service is present in the host environment that binds all available IP addresses rather than specific IP addresses, it may service requests sent to jail IP addresses if the jail did not bind the port.

Let's check our network services and their binds:

pacija@warden1:~ % sudo netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 10.30.19.163.22        10.30.19.45.46309      ESTABLISHED
tcp4       0      0 10.30.19.163.22        *.*                    LISTEN
udp4       0      0 10.30.19.163.123       *.*                    
udp4       0      0 127.0.0.1.123          *.*                    
udp6       0      0 fe80::1%lo0.123        *.*                    
udp6       0      0 ::1.123                *.*                    
udp4       0      0 *.123                  *.*                    
udp6       0      0 *.123                  *.*                    

Last two lines show that ntpd listens on wildcard address (any available), for both IPv4 and IPv6, on udp port 123. We should change this so it listens only on addresses we want. Now, although it can't be found in manpage for ntp.conf(5), I found quite recent article on NixCraft which correctly states that an interface directive can be used to control ntpd's binding to IP adresses. Here are the two lines I have appended to default ntp.conf in order to get ntpd to listen on single IPv4 address only:

interface ignore wildcard
interface listen 10.30.19.163

After (re)starting of ntpd daemon, we should see it bound to 127.0.0.1 and 10.30.19.16 only. Let's check with netstat:

pacija@warden1:~ % sudo netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 10.30.19.163.22        10.30.19.45.46309      ESTABLISHED
tcp4       0      0 10.30.19.163.22        *.*                    LISTEN
udp4       0      0 10.30.19.163.123       *.*                    
udp4       0      0 127.0.0.1.123          *.*                    
udp6       0      0 ::1.123                *.*                    

Ok, no more wildcards in "Local Address" column, which is good. But I don't use IPv6 on this server (yet), so I'd like to prevent ntpd to listen on localhost's IPv6 address as well. This part is not accomplished in ntp.conf, but by passing appropriate flags to ntpd in rc.conf.

Let's check which are default flags for ntpd:

pacija@warden1:~ % cat /etc/defaults/rc.conf | grep ntpd_flags
ntpd_flags="-p /var/run/ntpd.pid -f /var/db/ntpd.drift"

We can now paste above line into rc.conf, and slightly modify it (prepend -4), in order to instruct ntpd to listen on IPv4 addresses only. Our ntpd-related portion of rc.conf looks as follows:

ntpd_enable="YES"
ntpd_flags="-4 -p /var/run/ntpd.pid -f /var/db/ntpd.drift"

After service ntpd restart, we can use netstat to confirm that ntpd(8) indeed listens only on specified IPv4 address, and IPv4 loopback:

pacija@warden1:~ % sudo netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 10.30.19.163.22        10.30.19.45.46309      ESTABLISHED
tcp4       0      0 10.30.19.163.22        *.*                    LISTEN
udp4       0      0 10.30.19.163.123       *.*                    
udp4       0      0 127.0.0.1.123          *.*                    

Next Post Previous Post