By default ntpd listens on all interfaces

It seems "interface ignore wildcard" doesn't actually work as ntpd needs those listening interfaces to get packets back. openntpd seems to do without these though so it would be good if ntpd was also able to.

Pedro, I fail to see how this is a bug at all. ntpd is a network service, and while it would be a nice enhancement to the packaging to have a low priority debconf question to ask if the user would like to disable network capabilities, there are plenty of users who will want it to listen on the network and respond to time requests.

Also you may be surprised to see that ntpd doesn't actually *respond* to requests from ip's other than 127.0.0.1 or ::1

clint@clint-MacBookPro:~$ ntpq 192.168.1.105
ntpq> peers
192.168.1.105: timed out, nothing received
***Request timed out
ntpq> ^D
clint@clint-MacBookPro:~$ ntpq 127.0.0.1
ntpq> peers
     remote refid st t when poll reach delay offset jitter
==============================================================================
+host2.kingrst.c 204.9.54.119 2 u 261 1024 377 84.351 -7.327 9.672
-vf1.bbnx.net 128.4.1.1 2 u 223 1024 377 155.919 14.811 9.898
*ntp.yoinks.net 198.153.152.52 2 u 802 1024 377 50.601 -12.461 14.969
+ticker.pascogov 128.4.1.1 2 u 339 1024 377 78.144 -4.778 6.295
+europium.canoni 193.79.237.14 2 u 263 1024 377 165.478 -12.394 8.661
ntpq>

So its not actually all that important at all.

I'll mark this as Opinion, so others can find it and weigh in on it. For now though, I don't see a compelling argument for changing the way it works right now.

What I was pointing out is that ntp listens to *:* when that's not actually needed to function as an ntp client. Here's an example from a server I was just setting up.

With ntpd:

$ sudo netstat -atpun | grep ntp
udp 0 0 myIP:123 0.0.0.0:* 31805/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 31805/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 31805/ntpd
udp6 0 0 ::1:123 :::* 31805/ntpd
udp6 0 0 myIP :::* 31805/ntpd
udp6 0 0 :::123 :::* 31805/ntpd

with openntpd:

$ sudo netstat -atpun | grep ntp
udp 0 0 myIP:57706 88.190.225.228:123 ESTABLISHED 32455/ntpd
udp 0 0 myIP:46760 188.40.33.81:123 ESTABLISHED 32455/ntpd
udp 0 0 myIP:33742 88.190.225.228:123 ESTABLISHED 32455/ntpd
udp 0 0 myIP:34625 85.10.199.217:123 ESTABLISHED 32455/ntpd

so it seems to be possible to have working NTP communication without opening up port 123 on all interfaces for everyone to connect. I assume that's why /etc/ntp.conf has all those restrict lines by default, whereas /etc/openntp/ntpd.conf only has server lines.

I know ntp restricts responses to localhost by default so someone that wants to actually run an ntp server needs to change ntp.conf anyway. It might as well take the next step and not bind to the interfaces at all so as to not be a potential security risk.