Bug #9829
closed
NTP Status vs. parsing NTP Access Restrictions
100%
Description
Status/NTP displays "Statistics unavailable because ntpq and ntpdc queries are disabled in the NTP service settings" when noquery is set in an ACL which covers web clients IP address even when specific ACLs allow 127.0.0.1 and ::1
To reproduce:
Start with pfSense synced to NTP peer(s) and the following NTP ACLs:
restrict default kod limited nomodify noquery nopeer notrap
restrict -6 default kod limited nomodify noquery nopeer notrap
restrict source kod limited nomodify noquery notrap
restrict 127.0.0.1 mask 255.0.0.0
restrict ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
restrict 192.168.10.0 mask 255.255.255.0 kod limited nomodify noquery notrap
loggedon to pfsense via ssh "ntpq -4" and "ntpq -6" show correct values
In the web GUI (from Host with IP 192.168.10.42 Status/NTP complains as above and doesn't display any peers...
After adding a new ACL as:
restrict 192.168.10.42 mask 255.255.255.255 kod limited nomodify notrap
the web GUI also shows correct values.
After changing localhost ACLs to:
restrict 127.0.0.1 mask 255.0.0.0 noquery
restrict ::1 mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff noquery
the web GUI complains about:
No peers found, is the ntp service running?
So why checking the http clients IP address against ACLs in /usr/local/www/status_ntpd.php:
if (!empty($config['ntpd']['restrictions']['row']) && is_array($config['ntpd']['restrictions']['row'])) {
foreach ($config['ntpd']['restrictions']['row'] as $v) {
if (ip_in_subnet($_SERVER['REMOTE_ADDR'], "{$v['acl_network']}/{$v['mask']}")) {
$allow_query = !isset($v['noquery']);
}
}
}
and later quering ntpd with localhost address?
Updated by Jim Pingle over 4 years ago
- Target version set to 2.5.0
The page checks for settings, and if 'noquery' is set, then it assumes the daemon will be unreachable. It could maybe be smarter about that, but we can't risk having it run into a situation where it gets stuck waiting on a response that will never come.
Updated by Edgar Wiesmann over 4 years ago
Dear Jim,
thanks for your reply, but I'm afraid I did not quite understand it...
If I check "Disable ntpq and ntpdc queries (noquery)." in Default ACLs I have to explicitly allow localhost in an new ACL.
(if not: status page gives error message "No peers found, is the ntp service running?" after timeout...)
D'accord!
But why disallow an (already) authorized web GUI user, because his origin IP is disallowed by default/extra ACL (see above extrct of /usr/local/www/status_ntpd.php) and not check whether localhost is allowed to do queries?
IMHO /usr/local/www/status_ntpd.php should check whether localhost is allowed to query ntp deamon to avoid running into timeout...
I hope I'm not annoying...
Updated by Viktor Gurov over 4 years ago
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- Target version changed from 2.5.0 to 2.4.5
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Viktor Gurov over 4 years ago
- Status changed from Feedback to Resolved
Renato Botelho wrote:
PR has been merged. Thanks!
works as expected on 2.4.5.a.20200107.1903