pfSense Gold Subscription

Author Topic: Configuring ntpd and php-fpm to only listen on lan interface  (Read 143 times)

0 Members and 1 Guest are viewing this topic.

Offline bigguy_

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Configuring ntpd and php-fpm to only listen on lan interface
« on: September 11, 2017, 07:08:30 pm »
I want to make sure that no services are listening on the wan interface for security reasons and I have run into some puzzling obstacles.

The relevant lines from my /var/etc/ntpd.conf

interface listen 127.0.0.1
interface listen 192.168.1.1

However the diag_sockets.php page on the webgui shows ntp listening as below

root  ntpd  23304   21   udp4    *:123      *.*
root  ntpd  23304   22   udp4   192.168.1.1:123  *.*
root  ntpd  23304   23   udp4   127.0.0.1:123  *.*
root  ntpd  23304   20   udp6    *:123    *.*
root  ntpd  23304   24   udp6    ::1:123   *.*


And the relevant lines from my /usr/local/etc/php-fpm.conf file

listen = /var/run/php-fpm.socket


And the open sockets

root   php-fpm   292   5   udp4   *.*    *.*
root   php-fpm   291   5   udp4   *.*    *.*
root   php-fpm   290   5   udp4   *.*    *.*
root   php-fpm   289   5   udp4   *.*    *.*
root   php-fpm   292   5   udp6   *.*    *.*
root   php-fpm   291   5   udp6  *.*    *.*
root   php-fpm   290   5   udp6   *.*    *.*
root   php-fpm   289   5   udp6   *.*    *.*

Netstat -nl shows

udp4   0   0   127.0.01.123    *.*
udp4   0   0   192.168.1.1.123   *.*

So nothing listening on all ports. Is this just an artifact of how diag_sockets displays socket information?  It seems *:123 should mean ntpd is listening on all inyerfaces on port 123. Also I can't fully trust the netstat output because it doesn't show nginx listening on 443 and 80 despite an active web connection which will have to be a question for another day. But I am very confused how and why ntpd and php-fpm show as listening on all interfaces when the conf files show them as restricted to the lan for ntpd and a local unix file socket for php-fpm.
Can anyone shed any light on this?

Offline bigguy_

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Configuring ntpd and php-fpm to only listen on lan interface
« Reply #1 on: September 12, 2017, 09:42:03 am »
Some relevant syslog entries

Ntpd[22379]: Listen and drop on 0 v6wildcard [::]:123
Ntpd[22379]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Ntpd[22379]: Listen normally on 2 em1 192.168.1.1:123
Ntpd[22379]: Listen normally on 3 lo0 127.0.0.1:123
Ntpd[22379]: Listen normally on 4 lo0 [::]:123
Ntpd[22379]: Listening on routing socket on fd #25 for interface updates

While I'm glad ntpd is dropping packets on the wan interface, I'd rather it wasn't listening at all. I deleted the "interface drop all" line from the conf file for that very reason and yet ntpd is ignoring its own conf.

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8553
  • Karma: +957/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Configuring ntpd and php-fpm to only listen on lan interface
« Reply #2 on: September 12, 2017, 10:33:29 am »
You cannot do any such thing with ntpd because the upstream is just moronic and completely hopeless.

http://bugs.ntp.org/show_bug.cgi?id=2996#c1

Quote
ntpd currently binds always to wildcard for two purposes:
- avoid running multiple times (detected be EADDRINUSE)
- prevent other applications from binding to that port (somewhat defeated by
the -I directive)

ntpd will bind to wildcard, but will drop all packets received on it:
21 Jan 21:26:14 ntpd[30070]: Listen and drop on 0 v4wildcard 0.0.0.0:123

Binding to the wildcard address cannot be avoided. communication via wildcard
is not done (except for very peculiar OS variants).

http://support.ntp.org/bin/view/Dev/NtpdAndNetworkSockets
http://bugs.ntp.org/show_bug.cgi?id=2996
http://bugs.ntp.org/show_bug.cgi?id=2637
http://bugs.ntp.org/show_bug.cgi?id=983
http://bugs.ntp.org/show_bug.cgi?id=214

Do NOT PM for help!

Offline bigguy_

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Configuring ntpd and php-fpm to only listen on lan interface
« Reply #3 on: September 12, 2017, 02:45:31 pm »
Thanks for the info, but I did find a way. I added "interface ignore wildcard" to ntpd.conf and Hallelulia it works! That only leaves php-fpm. Any ideas on that one?