Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)
Gary E. Miller
gem at rellim.com
Tue May 29 19:24:58 UTC 2018
Yo Eric!
On Tue, 29 May 2018 15:15:15 -0400
"Eric S. Raymond via devel" <devel at ntpsec.org> wrote:
> I could summarize it something like this:
>
> "We have removed packet filtering by interface name because we judge
> it's a security-defect attractor. The place to do this is in
> kernel-level packet filters and firewalls, which get much more
> scrutiny; good admin practice in this century is to not trust
> usespace packet filtering at all."
+1
> This opens a can of worms, though. Should we drop the entire
> interface command?
Yes, after years of deprecation. At least to start we want to be drop=in
replacement for NTP Classic.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20180529/d1960cd7/attachment.bin>
More information about the devel
mailing list