Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)

Jason Azze jason at azze.org
Tue May 29 20:32:04 UTC 2018

On Tue, May 29, 2018, at 4:28 PM, Richard Laager via devel wrote:

> Choosing _which_ interfaces to listen() on at all is not userspace
> packet filtering.

This is my instinct as well. I suspect I don't understand what we're talking about, so I am hesitant to comment.

Are you suggesting removing the feature that makes ntpd configurable to listen on a specified interface so that it will instead listen on all interfaces (including docker0, vibr0, etc.) with the idea that -- if a sysadmin wanted ntpd to use only one interface, they "shoulda used Netfilter"?

I'd be pretty pissed off if, let's say, the Postfix or MySQL people took this attitude. That's why I think I'm misunderstanding. 

More information about the devel mailing list