Matthew Selsky <matthew.sel...@twosigma.com>:
> We use "-L" on hosts with hundreds of virtual IPs to avoid errors
> about "out of file descriptors".
I see. OK, that problem would go away under SINGLESOCK - just one socket
for all IP addresses.
> We also use "-I address" on multi-homed hosts to attempt to ensure
> that ntpd is only listening on the private side and is not even
> bound to the port on the public side.
Do you also use filter rules to block ingress? Would you be
inconvenienced if -I went away?
> We use "restrict" statements to allow access from our CIDR blocks
> for ntp clients, monitoring, and response packets back from "server"
> statements.
Aren't any plans to remove those.
> Let me know if you need additional information about how we use these
> features.
Do you ever use "interface" directives?
--
<a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
