Re: [chrony-dev] Multihomed (multiple) network interfaces support !

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

> Why is it not good? Is it meant to be a security measure? Would firewall not work better?
There are sockets in a system.
Sometimes a firewall can pass packets due to its malfunction or not accurate settings.
If there are no extra sockets it is much much better for security.

> For compatibility with current configuration, which effectively applies only the last occurence per IPv4/IPv6, >I think it would need to be specified on one line like this
>bindaddress 192.168.0.0/24 172.10.0.0/24
It seems very good way in the case.

> It can be implemented, but there should be a good use case for it.
I ilked Chrony and will use it instead of NTPd on 3 of 5 interfaces of the server.
One thing that stopped me from using Chrony on a real server is lack of multiple bindings.






ср, 30 авг. 2023 г. в 11:40, Miroslav Lichvar <mlichvar@xxxxxxxxxx>:
On Wed, Aug 30, 2023 at 10:19:56AM +0300, CpServiceSPb wrote:
> There are some multihomed computers which have several network interfaces,
> for example lan, wif1i, wifi2, dmz,  wan.
> At the time chrony are binded either to 0.0.0.0 address, which is meaning "
> listen on every available network interface " or only once specified
> interface/address by "bind..." directives.
> Yes, there is "allow" directive as well.
> But  anyway there is listening to all the interfaces remaining, that is not
> good.

Why is it not good? Is it meant to be a security measure? Would
firewall not work better?

> Dear developers, please add availability of binding to several interfaces
> specified in conf file may be  by specifying multiple times of binddevice
> or bindaddress, for example:
> bindaddress192.168.0.0/24 # lan
> bindaddress172.10.0.0/24 # dmz

For compatibility with current configuration, which effectively
applies only the last occurence per IPv4/IPv6, I think it would need
to be specified on one line like this

bindaddress 192.168.0.0/24 172.10.0.0/24

It can be implemented, but there should be a good use case for it.

--
Miroslav Lichvar


--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/