SINGLESOCK - How much to strip away?
Matthew.Selsky at twosigma.com
Tue Jun 5 00:35:25 UTC 2018
On Wed, May 30, 2018 at 03:08:42PM -0400, Eric S. Raymond wrote:
> Matthew Selsky <Matthew.Selsky at twosigma.com>:
> > We also use "-I address" on multi-homed hosts to attempt to ensure
> > that ntpd is only listening on the private side and is not even
> > bound to the port on the public side.
> Do you also use filter rules to block ingress? Would you be
> inconvenienced if -I went away?
We don't use filter rules in ntp.conf to block ingress. I don't mind if -I went away, with proper warnings, etc.
> Do you ever use "interface" directives?
We don't currently, since -I did the trick. It's interesting that the man page for ntpd reports wildcard and localhost are still opened for -I.
2018-06-05T00:25:57.957+00:00 my.host.name ntpd: Listen and drop on 0 v6wildcard [::]:123
Wildcard seems counter-intuitive (though on my multi-homed hosts, it does prevent opening a socket for each specific interface). Leaving the wildcard socket is likely not doing what I intended. Maybe. What's the value of "Listen and drop"?
I guess I'll replace -I with this in ntp.conf:
interface listen 127.0.0.1
interface listen ::1
interface listen address
This means that I'll need to template /etc/ntp.conf instead of /etc/default/ntp... no big deal. As long as I get a deprecation warning, etc.
More information about the devel