SINGLESOCK - How much to strip away?

Eric S. Raymond esr at
Wed May 30 19:08:42 UTC 2018

Matthew Selsky <Matthew.Selsky at>:
> We use "-L" on hosts with hundreds of virtual IPs to avoid errors
> about "out of file descriptors".

I see.  OK, that problem would go away under SINGLESOCK - just one socket
for all IP addresses.

> We also use "-I address" on multi-homed hosts to attempt to ensure
> that ntpd is only listening on the private side and is not even
> bound to the port on the public side.

Do you also use filter rules to block ingress?  Would you be
inconvenienced if -I went away?

> We use "restrict" statements to allow access from our CIDR blocks
> for ntp clients, monitoring, and response packets back from "server"
> statements.

Aren't any plans to remove those.

> Let me know if you need additional information about how we use these features.

Do you ever use "interface" directives?
		<a href="">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute:
Please visit their site and donate: the civilization you save might be your own.

More information about the devel mailing list