Bug 164348

Summary: ntpd(1): ntp.conf restrict default ignore option doesn't function as advertised
Product: Base System Reporter: Enji Cooper <ngie>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed Not A Bug    
Severity: Affects Only Me CC: ian
Priority: Normal    
Version: 9.0-STABLE   
Hardware: Any   
OS: Any   

Description Enji Cooper freebsd_committer freebsd_triage 2012-01-21 09:20:06 UTC 
While trying to lock down ntpd without a firewall, I was trying to do one of two things:

1. Get ntpd to listen only on localhost to avoid opening up potential security backdoors.
2. Get ntpd to listen to a select set of addresses.

Point was to get ntpd to function in a 'more secure' manner like ntpdate.

It doesn't seem that there's a 'listen only on select addresses option' available in ntpd, so 1. looks impossible. According to the documentation though, I should be able to restrict access to just localhost, so 2. should be doable [1]. In reality, this option doesn't seem to work as advertised, s.t. if I set 'restrict ignore default' it will reject all requests.

1. http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.1.2.1.

How-To-Repeat: # sh
# cat > /etc/ntp.conf <<EOF
server 0.freebsd.pool.ntp.org iburst maxpoll 9
server 1.freebsd.pool.ntp.org iburst maxpoll 9
server 2.freebsd.pool.ntp.org iburst maxpoll 9

restrict default ignore
restrict 65.75.130.21
restrict 127.0.0.1
restrict -6 ::1
EOF
# service ntpd restart
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 08:01:30 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped
Comment 2 Ian Lepore freebsd_committer freebsd_triage 2018-06-23 02:58:03 UTC 
This was a case of erronious configuration.