Is there any ntpd that can be configured to listen to selected interfaces only?

ntpd
ikrabbe picture ikrabbe · Jun 20, 2015 · Viewed 7.5k times · Source

My situation is, that I configure many virtual network interfaces for virtual machines and some of my networks do even have two or more addresses. I don't need ntpd to listen to all these interfaces, but there seems no option to restrict the interfaces ntpd tries to bind to. Besides all these "security" options in ntpd, for a system administrator, who knows his environment, the best security option is not to listen at all to interfaces. For example it would be more secure not to listen to external interfaces at all, but to restrict access through ntp configuration.

Is there any ntpd software known that can be configured to listen only to selected interfaces (as any network daemon should)?

Answer

dfc picture dfc · Jul 15, 2015

There are two easy ways to do this, both documented in the official ntp documentation:

  • Use the -I command line option for ntpd invocation

    -I [address | interface name]

      Open the network address given, or all the addresses associated
      with the given interface name.  This option may appear multiple
      times.  This option also implies not opening other addresses,
      except wildcard and local‐ host.  This option is deprecated.
      Please consider using the configuration file interface command,
      which is more versatile.

    From ntp's documentation on command line options for ntpd

  • Use the interface directive in ntp.conf:

    interface [listen | ignore | drop] [all | ipv4 | ipv6 | wildcard | name |
           address[/prefixlen]]

      This command controls which network addresses ntpd opens, and
      whether input is dropped without processing. The first parameter
      determines the action for addresses which match the second
      parameter. That parameter specifies a class of addresses, or a
      specific interface name, or an address. In the address case,
      prefixlen determines how many bits must match for this rule to
      apply. ignore prevents opening matching addresses, drop causes
      ntpd to open the address and drop all received packets without
      examination. Multiple interface commands can be used. The last
      rule which matches a particular address determines the action
      for it. interface commands are disabled if any -I, --interface,
      -L, or --novirtualips command-line options are used. If none of
      those options are used and no interface actions are specified
      in the configuration file, all available network addresses are
      opened. The nic command is an alias for interface.

    From ntp's documentation on misc configuration options:

Related questions

no server suitable for synchronization found For NTP Service

I had to build ntp packages from the source and install all of them on some hosts. After the installation, ntpdate 1.us.pool.ntp.org works for the synchronization. However, when I tried to do ntpdate <ip_add_of_…

Read More
ntpdate - no server suitable for synchronization found

I am working on ntp. I have to connect to some external NTP server to get my system date updated. The issue is that ntpd Daemon is always using my local clock (127.127.1.0) and it is not using the NTP server …

Read More