Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)

Gary E. Miller gem at rellim.com
Tue May 29 19:24:58 UTC 2018

Yo Eric!

On Tue, 29 May 2018 15:15:15 -0400
"Eric S. Raymond via devel" <devel at ntpsec.org> wrote:

> I could summarize it something like this:
> "We have removed packet filtering by interface name because we judge
> it's a security-defect attractor.  The place to do this is in
> kernel-level packet filters and firewalls, which get much more
> scrutiny; good admin practice in this century is to not trust
> usespace packet filtering at all."


> This opens a can of worms, though.  Should we drop the entire
> interface command?

Yes, after years of deprecation.  At least to start we want to be drop=in
replacement for NTP Classic.

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20180529/d1960cd7/attachment.bin>

More information about the devel mailing list