As I found out unfortunately we are both right. But I am right for BSD and Vista+ OSes, you are right for Linux OSes. I am talking about Weak and Strong ES modes.
Due to Weak ES mode in Linux OSes, please remake a test but change a little bit test conditions: When aiming for Strong ES Model in Linux, you'll first need these sysctl settings: net.ipv4.conf.all.arp_filter=1 net.ipv4.conf.all.arp_ignore=1 # or even 2 net.ipv4.conf.all.arp_announce=2 *And I see the only way is to implement not bindaddress but binddevice available multiple times for listening and receiving requests to.* *To avoid a quite complicated set**ting up of Linux OSes.* Additionally, lhere are: https://stackoverflow.com/questions/33917575/choosing-socket-output-interface-so-bindtodevice-vs-bind-before-connect https://learn.microsoft.com/en-us/previous-versions/technet-magazine/cc137807(v=msdn.10)?redirectedfrom=MSDN https://networkengineering.stackexchange.com/questions/59836/bind-to-specific-address https://unix.stackexchange.com/questions/258810/linux-source-routing-strong-end-system-model-strong-host-model https://wiki.treck.com/Appendix_C:_Strong_End_System_Model_/_Weak_End_System_Model вт, 5 сент. 2023 г. в 15:31, CpServiceSPb <cpservice...@gmail.com>: > Maybe did multiple binddeviceinstead for the specified purpose ? > > вт, 5 сент. 2023 г. в 15:17, CpServiceSPb <cpservice...@gmail.com>: > >> I don' t understand how packets are thrown between interfaces with IP >> forwarding off. >> Maybe nevertheless there is 0.0.0.0 binding. >> >> >> вт, 5 сент. 2023 г. в 15:10, CpServiceSPb <cpservice...@gmail.com>: >> >>> As you added the functionality, can you send this version ? >>> I will test as well on my own. >>> >>> >>> вт, 5 сент. 2023 г. в 13:54, Miroslav Lichvar <mlich...@redhat.com>: >>> >>>> On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote: >>>> > I may be wrong but as I understand that binding to an address is >>>> almost the >>>> > same as binding to an interface. >>>> >>>> I think those are two different things. In chrony there is the >>>> binddevice directive for binding to a device. It can be used only once >>>> for the same reasons as bindaddress. >>>> >>>> > Maybe I am wrong, again. >>>> > And it is meaning that an appropriate opened socket will receive >>>> packers >>>> > only from the corresponding interface, of course if IP forwarding, >>>> source >>>> > nat and so on is not set up. >>>> >>>> I ran a test. I started the server with 'bindaddress 192.168.50.2' and >>>> checked tcpdump output on the other interface, which has network >>>> 192.168.70.0/24 and no other routes. >>>> >>>> 10:46:41.686783 IP 192.168.70.1.53545 > 192.168.50.2.ntp: NTPv4, >>>> Client, length 48 >>>> 10:46:41.686863 IP 192.168.50.2.ntp > 192.168.70.1.53545: NTPv4, >>>> Server, length 48 >>>> >>>> It is happily responding to clients sending to the bound address, even >>>> if it's a different interface. IP forwarding is disabled. There is no >>>> NAT. The rp_filter setting doesn't seem to affect this. I think it's >>>> supposed to check only the source address. >>>> >>>> > So, it can be checked practically. >>>> > Is it true or false. >>>> > When you will add such functionality, I will build a new version of >>>> chrony >>>> > and will turn off nat, ip forwarding and will launch tcpdump and will >>>> see >>>> > what happens on the lan interface when some client from dmz sends a >>>> request >>>> > to dmz interface. >>>> > That is, will any packets come to the lan interface or not. >>>> >>>> You can verify that with single bindaddress. >>>> >>>> If you really need multiple addresses, you can start multiple servers >>>> instances as explained here: >>>> >>>> https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client >>>> >>>> -- >>>> Miroslav Lichvar >>>> >>>> >>>> -- >>>> To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with >>>> "unsubscribe" in the subject. >>>> For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in >>>> the subject. >>>> Trouble? Email listmas...@chrony.tuxfamily.org. >>>> >>>>