Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)
jason at azze.org
Tue May 29 20:32:04 UTC 2018
On Tue, May 29, 2018, at 4:28 PM, Richard Laager via devel wrote:
> Choosing _which_ interfaces to listen() on at all is not userspace
> packet filtering.
This is my instinct as well. I suspect I don't understand what we're talking about, so I am hesitant to comment.
Are you suggesting removing the feature that makes ntpd configurable to listen on a specified interface so that it will instead listen on all interfaces (including docker0, vibr0, etc.) with the idea that -- if a sysadmin wanted ntpd to use only one interface, they "shoulda used Netfilter"?
I'd be pretty pissed off if, let's say, the Postfix or MySQL people took this attitude. That's why I think I'm misunderstanding.
More information about the devel