To prevent NTP service listen on all existing interface, it would be good to implement cli options to configure interfaces for ntp service, for example to add int ntp.conf:
interface ignore wildcard interface listen 127.0.0.1 interface listen ::1
To prevent NTP service listen on all existing interface, it would be good to implement cli options to configure interfaces for ntp service, for example to add int ntp.conf:
interface ignore wildcard interface listen 127.0.0.1 interface listen ::1
We already have set system ntp allow-clients address 172.16.0.0/12 which can become a brother to a new command named set system ntp listen-on.
@dmbaturin @syncer may I raise the question why this is unter system and not service tree?
@syncer we do offer NTP as service (unfortunately it's unter the system tree instead of service.
cpo@LR1# set system ntp Possible completions: > allow-clients Network Time Protocol (NTP) server options +> server Network Time Protocol (NTP) server
We support several servers and also an allow-client feature where only clients listes as IP networks are allowed to query. NTP server listenes at all interfaces right now. NTP is also already re-written as XML style interface definition (T623). The question here is for extending the CLI and bind NTP to a specific IP (we should add this).
that is weird,
i was under impression that we have it as client.
So it perfectly make sense have it under service
As soon as someone sets set system ntp allow-clients address 172.16.0.0/12 we act as NTP server for this network,too. It's a bit odd that this node is under system but ... it is as it is.
If this node is set we listen on every interface:
# sudo netstat -vaun | grep 123 udp 0 0 172.16.37.241:123 0.0.0.0:* udp 0 0 172.16.254.36:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp6 0 0 fe80::250:56ff:feaa:123 :::* udp6 0 0 ::1:123 :::* udp6 0 0 :::123 :::*
You can test this e.g. unter windows w/ $ w32tm /stripchart /computer:<ipaddress> /dataonly /samples:100
I propose:
set system ntp listen-address Possible completions: <x.x.x.x> Domain Name Server (DNS) IPv4 address <h:h:h:h:h:h:h:h> Domain Name Server (DNS) IPv6 address
b/c NTPd uses IP addresses for listen connections and not interfaces.
It looks pretty clear from configuration point of view. Actually this request was made to avoid potential security breach if somebody doesn't have correct acl on wan facing interface.