SINGLESOCK - How much to strip away?

Matthew Selsky Matthew.Selsky at
Wed May 30 16:06:56 UTC 2018

On Wed, May 30, 2018 at 05:11:23AM -0400, Eric S. Raymond via devel wrote:

> >If you were an admin and wanted to take packets from the red cable and
> >ignore packets from the blue cable, how would you set things up?  Would you
> >filter by interface name or IP Address?
> Ask a large-site admin, someone like Matt Selsky.  I'm not one, I've never set
> up anything like that.

We use "-L" on hosts with hundreds of virtual IPs to avoid errors about "out of file descriptors".

We also use "-I address" on multi-homed hosts to attempt to ensure that ntpd is only listening on the private side and is not even bound to the port on the public side.

Since there are no warnings for -I usage, we've never moved away from them.

We use "restrict" statements to allow access from our CIDR blocks for ntp clients, monitoring, and response packets back from "server" statements.

Let me know if you need additional information about how we use these features.


More information about the devel mailing list