SINGLESOCK - How much to strip away?
hmurray at megapathdsl.net
Sat Jun 2 07:38:36 UTC 2018
fallenpegasus at gmail.com said:
> I still want to strip it all and delegate it to iptables, case OMEGA.
I'm happy with that. It may not be my first choice, but it's a decision we
can all understand and get back to work.
> Case OMEGA:
> -I, -L, and the interface config directive all go away. The daemon listens
> on all interfaces all the time. Packet filtering is entirely outsourced to
> the kernel packet filter and-or dedicated firewalls. Attempting to invoke
> the old features fails loudly.
We still have the restrict stuff. They are pretty powerful. If you are
willing to translate interface names to IP Address ranges, I'll bet they can
cover many/most cases.
> Sysadmins are used to having to bounce a database server when listener
> interface has an address event, but bouncing ntpd is much less okay.
One interesting case is the home user. Roughly, they don't have sysadmins
and they only have one interface. (Laptops might have both WiFi and Ether,
but I'll bet somebody turns off WiFi if the Ether gets plugged in.)
By default, the ntp package on Debian is setup to use servers setup by dhcp
(if the dhcp server provides them).
if [ -e /var/lib/ntp/ntp.conf.dhcp ]; then
NTPD_OPTS="$NTPD_OPTS -c /var/lib/ntp/ntp.conf.dhcp"
which restarts ntpd when dhcp reconnects. (or something like that)
These are my opinions. I hate spam.
More information about the devel