SINGLESOCK - How much to strip away?

Matthew Selsky Matthew.Selsky at
Tue Jun 5 00:35:25 UTC 2018

On Wed, May 30, 2018 at 03:08:42PM -0400, Eric S. Raymond wrote:
> Matthew Selsky <Matthew.Selsky at>:
> > We also use "-I address" on multi-homed hosts to attempt to ensure
> > that ntpd is only listening on the private side and is not even
> > bound to the port on the public side.
> Do you also use filter rules to block ingress?  Would you be
> inconvenienced if -I went away?

We don't use filter rules in ntp.conf to block ingress. I don't mind if -I went away, with proper warnings, etc.

> Do you ever use "interface" directives?

We don't currently, since -I did the trick.  It's interesting that the man page for ntpd reports wildcard and localhost are still opened for -I.

syslog shows:
2018-06-05T00:25:57.957+00:00 ntpd[100504]: Listen and drop on 0 v6wildcard [::]:123

Wildcard seems counter-intuitive (though on my multi-homed hosts, it does prevent opening a socket for each specific interface). Leaving the wildcard socket is likely not doing what I intended.  Maybe.  What's the value of "Listen and drop"?

I guess I'll replace -I with this in ntp.conf:

interface listen
interface listen ::1
interface listen address

This means that I'll need to template /etc/ntp.conf instead of /etc/default/ntp... no big deal. As long as I get a deprecation warning, etc.


More information about the devel mailing list