SINGLESOCK - How much to strip away?
Eric S. Raymond
esr at thyrsus.com
Wed May 30 19:08:42 UTC 2018
Matthew Selsky <Matthew.Selsky at twosigma.com>:
> We use "-L" on hosts with hundreds of virtual IPs to avoid errors
> about "out of file descriptors".
I see. OK, that problem would go away under SINGLESOCK - just one socket
for all IP addresses.
> We also use "-I address" on multi-homed hosts to attempt to ensure
> that ntpd is only listening on the private side and is not even
> bound to the port on the public side.
Do you also use filter rules to block ingress? Would you be
inconvenienced if -I went away?
> We use "restrict" statements to allow access from our CIDR blocks
> for ntp clients, monitoring, and response packets back from "server"
Aren't any plans to remove those.
> Let me know if you need additional information about how we use these features.
Do you ever use "interface" directives?
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
More information about the devel