Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 6 Dec 2002 16:30:37 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Re: Xntpd running on a host with jails
Message-ID:  <20021206163037.GA1630@happy-idiot-talk.infracaninophi>
In-Reply-To: <000001c29d37$7eb97280$952b6e94@lucifer>
References:  <000001c29d37$7eb97280$952b6e94@lucifer>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Fri, Dec 06, 2002 at 03:55:19PM +0100, Didier Wiroth wrote:

> I'm running xntpd on a host which has jails! I saw that ntpd listens on
> all ip addresses even the jails ip addresses! How can I force xntp to
> listen only at a specific ip address?

Errr... To the best of my knowledge, you can't.  There's no documented
capability in the ntp.conf file to tell ntpd to bind to a particular
interface, and as far as I can tell from reading the source, there's
just no way to do that.

However, think about it.  You couldn't run several copies of ntpd
simultaneously on one physical machine --- makes no sense, even if the
ntpd's are running in separate jails.  The machine's clock can only be
set to one time.  As ntpd is going to be the only serious contender to
use UDP port 123, it really doesn't matter if the ntpd on the host
system blocks port 123 on the jails.

If you're worried about security, use the built in mechanisms provided
by ntpd --- the best strategy is to use the 'restrict' mechanism to
set a default policy to ignore everything, and then open up the
minimum amount of access required to make the service work. Eg.

    restrict default ignore                         # Everyone can go away ...
    restrict 127.0.0.1                              # except me ...
    restrict 192.168.0.0 mask 255.255.255.0         # or the local net.
    
    server 123.45.67.89                             # A remote NTP server
    restrict 123.45.67.89 nomodify                  # Can send us a timestamp,
                                                    # but can't modify our
                                                    # configuration.

If you are using your machine to provide NTP service to a network of
clients or peering several machines together for resilience, create an
ntp.keys(5) file and copy it to each of your machines --- the M type
key format is probably the best, but you may need to use the A type to
support older servers.  Prefer the clients and local servers to use
the key-based auth mechanism to operate --- if you want to broadcast
or multicast a time signal to a whole network, this will be required.

Use IPFW or IPF to restrict access to the local port 123.  A useful
feature of NTP is that it uses port 123 at *both* ends of the
connection, although if your client is behind a NAT gateway it may
appear to use a random high numbered port on the client end.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
                                                      Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20021206163037.GA1630>