>Number: 164348 >Category: bin >Synopsis: ntp.conf restrict default ignore option doesn't function as >advertised >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jan 21 09:20:06 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Garrett Cooper >Release: 9.0-STABLE >Organization: n/a >Environment: FreeBSD bayonetta.local 9.0-STABLE FreeBSD 9.0-STABLE #4 r230371M: Thu Jan 19 23:55:38 PST 2012 gcooper@bayonetta.local:/usr/obj/store/freebsd/stable/9/sys/BAYONETTA amd64 >Description: While trying to lock down ntpd without a firewall, I was trying to do one of two things:
1. Get ntpd to listen only on localhost to avoid opening up potential security backdoors. 2. Get ntpd to listen to a select set of addresses. Point was to get ntpd to function in a 'more secure' manner like ntpdate. It doesn't seem that there's a 'listen only on select addresses option' available in ntpd, so 1. looks impossible. According to the documentation though, I should be able to restrict access to just localhost, so 2. should be doable [1]. In reality, this option doesn't seem to work as advertised, s.t. if I set 'restrict ignore default' it will reject all requests. 1. http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.1.2.1. >How-To-Repeat: # sh # cat > /etc/ntp.conf <<EOF server 0.freebsd.pool.ntp.org iburst maxpoll 9 server 1.freebsd.pool.ntp.org iburst maxpoll 9 server 2.freebsd.pool.ntp.org iburst maxpoll 9 restrict default ignore restrict 65.75.130.21 restrict 127.0.0.1 restrict -6 ::1 EOF # service ntpd restart >Fix: >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
