Solved NTP listening on all IPs - including those belonging to Jails

[kjpetrie]

I'm trying to find out how to stop ntpd listening to IPs allocated to jails. I've spent a lot of time reading about /etc/ntp.conf but there doesn't seem to be an option to control where the daemon listens. At present it's listening to all.

At first I thought restrict was what I needed, but then I realised that refers to the client's address, not where the server listens. I want to release the jail's addresses. How can I do that without stopping NTP altogether?

 

[serverhamster]

I don't think it is possible to restrict ntpd(8) to a certain interface. This can indeed be abused when running jails. You can use restrict to harden your configuration, or choose the simple solution and switch to net/openntpd. ntimed will probably also be a fine alternative when it's ready.

 

[junovitch@]

NTPD per its ntp.conf(5) doesn't have listen to do what you are looking for. The net/openntpd port does have that capability per its ntpd.conf(5). I don't know about net/chrony or any other third party NTP servers as I've only ever used those two.

 

[xtaz]

Do this. This will work in the later version of ntpd(8) that is in 10.x or the ports system. I'm not sure if it works on earlier versions or not. Give it a try and see what happens.

interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1
interface listen 192.168.1.1

 

[kjpetrie]

It seems whatever I do I need to install from ports rather than use the system-included version. I have installed net/openntpd. It also seems the problem has been fixed in 10.x onwards from xtaz's post above.

I'll mark this Solved although not quite in the way I had hoped.