Why admin's do not trust daemons to do their own packet filtering
Eric S. Raymond
esr at thyrsus.com
Tue May 29 20:02:45 UTC 2018
Hal Murray via devel <devel at ntpsec.org>:
> > We could kill the interface command, and let the usual syntax error happen.
> > Or we could raise a special syntax error, calling out the need to use the
> > packet filter instead. Then the question becomes, is it a warn-and-continue,
> > or a error-and-halt?
> Error and halt. (or set a flag to halt after the rest of the parsing)
> This is a security issue. We don't want to let evil packets in.
I concur. If we're going to drop this command it should fail loudly and hard.
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
More information about the devel