As I found out unfortunately we are both right.
But I am right for BSD and Vista+ OSes, you are right  for Linux OSes.
I am talking about  Weak and Strong ES modes.

Due to Weak ES mode in Linux OSes, please remake a test but change a little
bit test conditions:
When aiming for Strong ES Model in Linux, you'll first need these sysctl
settings:
net.ipv4.conf.all.arp_filter=1
net.ipv4.conf.all.arp_ignore=1 # or even 2
net.ipv4.conf.all.arp_announce=2


*And I see the only way is to implement not bindaddress but binddevice
available multiple times for listening and receiving requests to.*
*To avoid a quite complicated set**ting up of Linux OSes.*

Additionally, lhere are:
https://stackoverflow.com/questions/33917575/choosing-socket-output-interface-so-bindtodevice-vs-bind-before-connect
https://learn.microsoft.com/en-us/previous-versions/technet-magazine/cc137807(v=msdn.10)?redirectedfrom=MSDN
https://networkengineering.stackexchange.com/questions/59836/bind-to-specific-address
https://unix.stackexchange.com/questions/258810/linux-source-routing-strong-end-system-model-strong-host-model
https://wiki.treck.com/Appendix_C:_Strong_End_System_Model_/_Weak_End_System_Model

вт, 5 сент. 2023 г. в 15:31, CpServiceSPb <cpservice...@gmail.com>:

> Maybe did multiple binddeviceinstead for the specified purpose ?
>
> вт, 5 сент. 2023 г. в 15:17, CpServiceSPb <cpservice...@gmail.com>:
>
>> I don' t understand how packets are thrown between interfaces with IP
>> forwarding off.
>> Maybe nevertheless there is 0.0.0.0 binding.
>>
>>
>> вт, 5 сент. 2023 г. в 15:10, CpServiceSPb <cpservice...@gmail.com>:
>>
>>> As you added the functionality, can you send this version ?
>>> I will test as well on my own.
>>>
>>>
>>> вт, 5 сент. 2023 г. в 13:54, Miroslav Lichvar <mlich...@redhat.com>:
>>>
>>>> On Thu, Aug 31, 2023 at 12:06:35AM +0300, CpServiceSPb wrote:
>>>> > I may be wrong but as I understand that binding to an address is
>>>> almost the
>>>> > same as binding to an interface.
>>>>
>>>> I think those are two different things. In chrony there is the
>>>> binddevice directive for binding to a device. It can be used only once
>>>> for the same reasons as bindaddress.
>>>>
>>>> > Maybe I am wrong, again.
>>>> > And it is meaning that an appropriate opened socket will receive
>>>> packers
>>>> > only from the corresponding interface, of course if IP forwarding,
>>>> source
>>>> > nat and so on is not set up.
>>>>
>>>> I ran a test. I started the server with 'bindaddress 192.168.50.2' and
>>>> checked tcpdump output on the other interface, which has network
>>>> 192.168.70.0/24 and no other routes.
>>>>
>>>> 10:46:41.686783 IP 192.168.70.1.53545 > 192.168.50.2.ntp: NTPv4,
>>>> Client, length 48
>>>> 10:46:41.686863 IP 192.168.50.2.ntp > 192.168.70.1.53545: NTPv4,
>>>> Server, length 48
>>>>
>>>> It is happily responding to clients sending to the bound address, even
>>>> if it's a different interface. IP forwarding is disabled. There is no
>>>> NAT. The rp_filter setting doesn't seem to affect this. I think it's
>>>> supposed to check only the source address.
>>>>
>>>> > So, it can be checked practically.
>>>> > Is it true or false.
>>>> > When you will add such functionality, I will build a new version of
>>>> chrony
>>>> > and will turn off nat, ip forwarding and will launch tcpdump and will
>>>> see
>>>> > what happens on the lan interface when some client from dmz sends a
>>>> request
>>>> > to dmz interface.
>>>> > That is, will any packets come to the lan interface or not.
>>>>
>>>> You can verify that with single bindaddress.
>>>>
>>>> If you really need multiple addresses, you can start multiple servers
>>>> instances as explained here:
>>>>
>>>> https://chrony-project.org/faq.html#_can_ntp_server_be_separated_from_ntp_client
>>>>
>>>> --
>>>> Miroslav Lichvar
>>>>
>>>>
>>>> --
>>>> To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with
>>>> "unsubscribe" in the subject.
>>>> For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in
>>>> the subject.
>>>> Trouble?  Email listmas...@chrony.tuxfamily.org.
>>>>
>>>>

Reply via email to