我的情况是,我为虚拟机配置了许多虚拟网络接口,我的一些网络甚至有两个或更多地址。我不需要ntpd
听所有这些接口,但似乎没有限制 ntpd 尝试绑定的接口的选项。除了 ntpd 中的所有这些“安全”选项之外,对于了解其环境的系统管理员来说,最好的安全选项是根本不听接口。例如,根本不监听外部接口会更安全,而是通过 ntp 配置限制访问。
是否有任何已知的 ntpd 软件可以配置为仅侦听选定的接口(任何网络守护程序都应该)?
我的情况是,我为虚拟机配置了许多虚拟网络接口,我的一些网络甚至有两个或更多地址。我不需要ntpd
听所有这些接口,但似乎没有限制 ntpd 尝试绑定的接口的选项。除了 ntpd 中的所有这些“安全”选项之外,对于了解其环境的系统管理员来说,最好的安全选项是根本不听接口。例如,根本不监听外部接口会更安全,而是通过 ntp 配置限制访问。
是否有任何已知的 ntpd 软件可以配置为仅侦听选定的接口(任何网络守护程序都应该)?
有两种简单的方法可以做到这一点,两者都记录在官方 ntp 文档中:
使用-I
命令行选项进行 ntpd 调用
-I [address | interface name]
Open the network address given, or all the addresses associated
with the given interface name. This option may appear multiple
times. This option also implies not opening other addresses,
except wildcard and local‐ host. This option is deprecated.
Please consider using the configuration file interface command,
which is more versatile.
使用interface
ntp.conf 中的指令:
interface [listen | ignore | drop] [all | ipv4 | ipv6 | wildcard | name |
address[/prefixlen]]
This command controls which network addresses ntpd opens, and
whether input is dropped without processing. The first parameter
determines the action for addresses which match the second
parameter. That parameter specifies a class of addresses, or a
specific interface name, or an address. In the address case,
prefixlen determines how many bits must match for this rule to
apply. ignore prevents opening matching addresses, drop causes
ntpd to open the address and drop all received packets without
examination. Multiple interface commands can be used. The last
rule which matches a particular address determines the action
for it. interface commands are disabled if any -I, --interface,
-L, or --novirtualips command-line options are used. If none of
those options are used and no interface actions are specified
in the configuration file, all available network addresses are
opened. The nic command is an alias for interface.