Matthew Selsky <matthew.sel...@twosigma.com>: > We use "-L" on hosts with hundreds of virtual IPs to avoid errors > about "out of file descriptors".
I see. OK, that problem would go away under SINGLESOCK - just one socket for all IP addresses. > We also use "-I address" on multi-homed hosts to attempt to ensure > that ntpd is only listening on the private side and is not even > bound to the port on the public side. Do you also use filter rules to block ingress? Would you be inconvenienced if -I went away? > We use "restrict" statements to allow access from our CIDR blocks > for ntp clients, monitoring, and response packets back from "server" > statements. Aren't any plans to remove those. > Let me know if you need additional information about how we use these > features. Do you ever use "interface" directives? -- <a href="http://www.catb.org/~esr/">Eric S. Raymond</a> My work is funded by the Internet Civil Engineering Institute: https://icei.org Please visit their site and donate: the civilization you save might be your own. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel