Why admin's do not trust daemons to do their own packet filtering (was Re: Resuming the great cleanup)

Gary E. Miller gem at rellim.com
Tue May 29 21:23:35 UTC 2018

Yo Eric!

On Tue, 29 May 2018 17:02:47 -0400
"Eric S. Raymond" <esr at thyrsus.com> wrote:

> Gary E. Miller via devel <devel at ntpsec.org>:
> > Yo Eric!
> > 
> > On Tue, 29 May 2018 16:17:36 -0400
> > "Eric S. Raymond" <esr at thyrsus.com> wrote:
> >   
> > > Please either choose one drop/no-drop or explain why these cases
> > > should be treated separately.  
> > 
> > If that is the choice, the choice should be no-drop.  
> Well, then, we're back to square one, and you now have an argument
> with Mark over his decision to drop filtering by name.

Hal's suggestions of violently refusing to start may be the way out.

> But when I wrote this:
> "We have removed packet filtering by interface name because we judge
> it's a security-defect attractor.  The place to do this is in
> kernel-level packet filters and firewalls, which get much more
> scrutiny; good admin practice in this century is to not trust
> usespace packet filtering at all."
> you endorsed it.  Does that change if "name" in the first sentence is
> deleted?

I see we are juggling several over-lapping topics.

One: interface selection

Two: IP filtering

Three: IP filtering by interface

IMHO, we need to keep enable/disable by interface.  Too many server
installations depend on that.

But, filtering globally, and per interface, should be removed.  It
should be done by the system firewall.  But filtering removed in a way
to lesson the pain of people moving from NTP Classic to NTPsec.

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20180529/893027ba/attachment.bin>

More information about the devel mailing list