Page MenuHomePhabricator
Create Task
Maniphest T599

Bind NTP service to specific interface
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

To prevent NTP service listen on all existing interface, it would be good to implement cli options to configure interfaces for ntp service, for example to add int ntp.conf:

interface ignore wildcard
interface listen 127.0.0.1
interface listen ::1

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close

Related Objects

maugli13 created this task.Apr 12 2018, 3:20 PM
c-po added subscribers: syncer, dmbaturin, c-po.May 1 2018, 4:35 PM

We already have set system ntp allow-clients address 172.16.0.0/12 which can become a brother to a new command named set system ntp listen-on.

@dmbaturin @syncer may I raise the question why this is unter system and not service tree?

syncer triaged this task as Normal priority.May 27 2018, 10:01 AM

@c-po i think we not offer ntp service as of now, but i think maybe we should?

c-po added a comment.EditedMay 27 2018, 2:43 PM

@syncer we do offer NTP as service (unfortunately it's unter the system tree instead of service.

cpo@LR1# set system ntp
Possible completions:
 > allow-clients
                Network Time Protocol (NTP) server options
+> server       Network Time Protocol (NTP) server

We support several servers and also an allow-client feature where only clients listes as IP networks are allowed to query. NTP server listenes at all interfaces right now. NTP is also already re-written as XML style interface definition (T623). The question here is for extending the CLI and bind NTP to a specific IP (we should add this).

syncer added a comment.May 27 2018, 2:47 PM

that is weird,
i was under impression that we have it as client.
So it perfectly make sense have it under service

c-po added a comment.EditedMay 27 2018, 6:57 PM

As soon as someone sets set system ntp allow-clients address 172.16.0.0/12 we act as NTP server for this network,too. It's a bit odd that this node is under system but ... it is as it is.

If this node is set we listen on every interface:

# sudo netstat -vaun | grep 123
udp        0      0 172.16.37.241:123       0.0.0.0:*
udp        0      0 172.16.254.36:123       0.0.0.0:*
udp        0      0 127.0.0.1:123           0.0.0.0:*
udp        0      0 0.0.0.0:123             0.0.0.0:*
udp6       0      0 fe80::250:56ff:feaa:123 :::*
udp6       0      0 ::1:123                 :::*
udp6       0      0 :::123                  :::*

You can test this e.g. unter windows w/ $ w32tm /stripchart /computer:<ipaddress> /dataonly /samples:100

I propose:

set system ntp listen-address
Possible completions:
   <x.x.x.x>         Domain Name Server (DNS) IPv4 address
   <h:h:h:h:h:h:h:h> Domain Name Server (DNS) IPv6 address

b/c NTPd uses IP addresses for listen connections and not interfaces.

maugli13 added a comment.May 31 2018, 11:23 AM

It looks pretty clear from configuration point of view. Actually this request was made to avoid potential security breach if somebody doesn't have correct acl on wan facing interface.

c-po moved this task from Need Triage to Finished on the VyOS 1.2.x board.Jun 1 2018, 7:17 AM
dmbaturin edited projects, added VyOS 1.2.x (VyOS 1.2.0-rc1); removed VyOS 1.2.x, VyConf.Jun 3 2018, 3:38 AM
dmbaturin assigned this task to c-po.
dmbaturin closed this task as Resolved.Tue, Sep 25, 6:20 PM