Design proposal for a better ACL language
Gary E. Miller
gem at rellim.com
Tue Jun 14 18:46:09 UTC 2016
Yo Achim!
On Tue, 14 Jun 2016 20:39:35 +0200
Achim Gratz <Stromeko at nexgo.de> wrote:
> Daniel Franke writes:
> >> Are there other good ACL languages that we can steal the spec or
> >> implementation from
> >
> > Most of the features we want to match on (basically everything
> > except IP/port) are NTP-specific, so not directly. But a lot of my
> > design was inspired by iptables.
>
> Sorry for the sidetracking, but while you mention iptables: if we can
> presume the existence of a packet filter in the OS, would it perhaps
> make sense to not implement that part of the filtering in ntpd and
> leave it to that filter?
I would use iptables, but iptables are a large burden on an embedded
system. I certainly do not want to have to manage iptables on my
old RasPi B. Or any of my RasPi's.
My head would hurt if I had to write an iptables rule that would allow
remote requests, but not remote peering.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ntpsec.org/pipermail/devel/attachments/20160614/93b45340/attachment.bin>
More information about the devel
mailing list