SINGLESOCK - How much to strip away?

Hal Murray hmurray at
Sat Jun 2 07:38:36 UTC 2018

fallenpegasus at said:
> I still want to strip it all and delegate it to iptables, case OMEGA.

I'm happy with that.  It may not be my first choice, but it's a decision we 
can all understand and get back to work.


Eric said:
> Case OMEGA:
> -I, -L, and the interface config directive all go away.  The daemon listens
> on all interfaces all the time.  Packet filtering is entirely outsourced to
> the kernel packet filter and-or dedicated firewalls. Attempting to invoke
> the old features fails loudly. 

We still have the restrict stuff.  They are pretty powerful.  If you are 
willing to translate interface names to IP Address ranges, I'll bet they can 
cover many/most cases.

> Sysadmins are used to having to bounce a database server when listener
> interface has an address event, but bouncing ntpd is much less okay. 

One interesting case is the home user.  Roughly, they don't have sysadmins 
and they only have one interface.  (Laptops might have both WiFi and Ether, 
but I'll bet somebody turns off WiFi if the Ether gets plugged in.)

By default, the ntp package on Debian is setup to use servers setup by dhcp 
(if the dhcp server provides them).

>From /etc/init.d/ntp:
if [ -e /var/lib/ntp/ntp.conf.dhcp ]; then
        NTPD_OPTS="$NTPD_OPTS -c /var/lib/ntp/ntp.conf.dhcp"

Raspbian has:
which restarts ntpd when dhcp reconnects.  (or something like that)

These are my opinions.  I hate spam.

More information about the devel mailing list