On Wed, May 30, 2018 at 03:08:42PM -0400, Eric S. Raymond wrote: > Matthew Selsky <matthew.sel...@twosigma.com>: > > > We also use "-I address" on multi-homed hosts to attempt to ensure > > that ntpd is only listening on the private side and is not even > > bound to the port on the public side. > > Do you also use filter rules to block ingress? Would you be > inconvenienced if -I went away?
We don't use filter rules in ntp.conf to block ingress. I don't mind if -I went away, with proper warnings, etc. > Do you ever use "interface" directives? We don't currently, since -I did the trick. It's interesting that the man page for ntpd reports wildcard and localhost are still opened for -I. syslog shows: 2018-06-05T00:25:57.957+00:00 my.host.name ntpd[100504]: Listen and drop on 0 v6wildcard [::]:123 Wildcard seems counter-intuitive (though on my multi-homed hosts, it does prevent opening a socket for each specific interface). Leaving the wildcard socket is likely not doing what I intended. Maybe. What's the value of "Listen and drop"? I guess I'll replace -I with this in ntp.conf: interface listen 127.0.0.1 interface listen ::1 interface listen address This means that I'll need to template /etc/ntp.conf instead of /etc/default/ntp... no big deal. As long as I get a deprecation warning, etc. Thanks, -Matt _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
