Why admin's do not trust daemons to do their own packet filtering

Eric S. Raymond esr at thyrsus.com
Tue May 29 20:02:45 UTC 2018

Hal Murray via devel <devel at ntpsec.org>:
> > We could kill the interface command, and let the usual syntax error happen.
> > Or we could raise a special syntax error, calling out the need to use the
> > packet filter instead.  Then the question becomes, is it a warn-and-continue,
> >  or a error-and-halt? 
> Error and halt.  (or set a flag to halt after the rest of the parsing)
> This is a security issue.  We don't want to let evil packets in.

I concur.  If we're going to drop this command it should fail loudly and hard.
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.

More information about the devel mailing list