Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)

Kurt Roeckx kurt at roeckx.be
Tue May 29 19:35:46 UTC 2018


On Tue, May 29, 2018 at 03:15:15PM -0400, Eric S. Raymond via devel wrote:
> [[interface]]
> +interface+ [+listen+ | +ignore+ | +drop+] [+all+ | +ipv4+ | +ipv6+ | +wildcard+ | 'name' | 'address'[/'prefixlen']]::
>   This command controls which network addresses +ntpd+ opens, and
>   whether input is dropped without processing.

Do we only have 1/2 socket by default, or do we still have a listen
socket per interface / ip address?

If there is still a socket per interface / ip address, at least
some of this will be useful to some people. There are actually
people that have more interfaces than you can have open files.


Kurt



More information about the devel mailing list