Does NTPd have to listen on an interface or address for updating the server time?

Solution 1:

Listening on localhost makes sense if you want to run to queries on the local box. For examle, ntpq -p localhost will query the ntp service running on your local box.

In general you probably want ntpd to listen on all real addresses that it needs to send or receive updates on. If you are running ipv6 you need to list the ipv6 addresses as well, otherwise just list the real server ip addresses and ipv4 localhost.

Solution 2:

If you just want to update the local time you should probably restrict access to the server, since ntpd doesn't support configuring the listen adresses.

First thing to configure is the default policy. You can either block all communication not enabled afterwards, but remember that restrictions work for client and server bothway.

restrict default ignore
# Allow access to localhost
restrict 127.0.0.1
restrict IP.OF.UPSTREAM.SERVER

Or you could allow the exchange of time by default and allow querying the server only to the localhost:

restrict -4 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1

Also ntpd allows chosing the interface it runs on via the -I switch. If you are running Debian you can simply add that -I switch to the NTPD_OPTS variable in /etc/defaults/ntpd.

ntpd -I eth0