Yo Eric! On Tue, 29 May 2018 17:02:47 -0400 "Eric S. Raymond" <e...@thyrsus.com> wrote:
> Gary E. Miller via devel <devel@ntpsec.org>:
> > Yo Eric!
> >
> > On Tue, 29 May 2018 16:17:36 -0400
> > "Eric S. Raymond" <e...@thyrsus.com> wrote:
> >
> > > Please either choose one drop/no-drop or explain why these cases
> > > should be treated separately.
> >
> > If that is the choice, the choice should be no-drop.
>
> Well, then, we're back to square one, and you now have an argument
> with Mark over his decision to drop filtering by name.
Hal's suggestions of violently refusing to start may be the way out.
> But when I wrote this:
>
> "We have removed packet filtering by interface name because we judge
> it's a security-defect attractor. The place to do this is in
> kernel-level packet filters and firewalls, which get much more
> scrutiny; good admin practice in this century is to not trust
> usespace packet filtering at all."
>
> you endorsed it. Does that change if "name" in the first sentence is
> deleted?
I see we are juggling several over-lapping topics.
One: interface selection
Two: IP filtering
Three: IP filtering by interface
IMHO, we need to keep enable/disable by interface. Too many server
installations depend on that.
But, filtering globally, and per interface, should be removed. It
should be done by the system firewall. But filtering removed in a way
to lesson the pain of people moving from NTP Classic to NTPsec.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpru0xEh1610.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
