Re: [chrony-dev] Multihomed (multiple) network interfaces support !

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Wed, Aug 30, 2023 at 12:49:34PM +0300, CpServiceSPb wrote:
>  > Why is it not good? Is it meant to be a security measure? Would firewall
> not work better?
> There are sockets in a system.
> Sometimes a firewall can pass packets due to its malfunction or not
> accurate settings.
> If there are no extra sockets it is much much better for security.

Can you please elaborate? The security benefits are not very clear to
me.

There are some misconceptions. Binding a socket to an address doesn't
mean it will not receive packets from other interfaces. For example,
if eth1 has ADDR1 and eth2 has ADDR2, and chronyd is configured to
listen only on ADDR1, I think on a typical system it will respond to
requests send to ADDR1 no matter if they are received from eth1 or
eth2.

There are exceptions to this like the loopback range (127.0.0.0/8)
which the kernel should drop as "martian packets" if received from
real network interfaces, so default bindcmdaddress of 127.0.0.1 should
prevent responding to requests from network.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.