Re: bin/23705 (ntpd can not be restricted to certain interfaces)

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,martin%duskware.de@localhost
Subject: Re: bin/23705 (ntpd can not be restricted to certain interfaces)
From: Matthew Mondor <mm_lists%pulsar-zone.net@localhost>
Date: Sat, 21 Nov 2009 21:45:01 +0000 (UTC)

The following reply was made to PR bin/23705; it has been noted by GNATS.

From: Matthew Mondor <mm_lists%pulsar-zone.net@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: bin/23705 (ntpd can not be restricted to certain interfaces)
Date: Sat, 21 Nov 2009 16:42:52 -0500

 On Sat, 21 Nov 2009 21:25:01 +0000 (UTC)
 Frank Kardel <kardel%netbsd.org@localhost> wrote:

 > The following reply was made to PR bin/23705; it has been noted by GNATS.
 > 
 > From: Frank Kardel <kardel%netbsd.org@localhost>
 > To: gnats-bugs%netbsd.org@localhost
 > Cc: 
 > Subject: Re: bin/23705 (ntpd can not be restricted to certain interfaces)
 > Date: Sat, 21 Nov 2009 22:24:06 +0100
 > 
 >  dholland%NetBSD.org@localhost wrote:
 >  > Synopsis: ntpd can not be restricted to certain interfaces
 >  >
 >  > State-Changed-From-To: closed->open
 >  > State-Changed-By: dholland%NetBSD.org@localhost
 >  > State-Changed-When: Sun, 15 Nov 2009 03:16:49 +0000
 >  > State-Changed-Why:
 >  > Wonderful, it doesn't work.
 >  >
 >  >   
 >  Actually it does, possibly not in a way you are expecting. The binding 
 >  is still done, but packets arriving on interface not mentioned by -I get 
 >  dropped rightaway after being read.
 >  Code to ignore the interface completely will be in the next stable 
 >  release of ntpd (not quite there yet - but the RC cycle is running).
 >  
 >  See the startup messages to watch what happens. An -I pppoe0 on my 
 >  system leads to :

 When I did the test I mistakenly assumed that using CIDR notation was
 expected as with most other software, and that this indeed was to
 restrict bind(2).  The manual page probably should be updated to stress
 that an interface name is expected, and that this does not affect the
 binding of interfaces, but instead will filter incomming requests
 (which is unfortunately harder to really make sure a setup is secure
 enough for an admin, however, but as you showed at least the logs
 should help).

 That said, it's nice to know that restricting binding is planned for
 the next release.  Should this PR remain open until said upgrade, or
 should we close it after improving the manual page?

 Thanks,
 -- 
 Matt

Prev by Date: Re: bin/23705 (ntpd can not be restricted to certain interfaces)
Next by Date: Re: xsrc/42262: Thinkpad T500 Intel GM45 Express X doesn't like i915drm
Previous by Thread: Re: bin/23705 (ntpd can not be restricted to certain interfaces)
Next by Thread: Re: bin/23705 (ntpd can not be restricted to certain interfaces)
Indexes:

Home | Main Index | Thread Index | Old Index