RE: Listening on specific interfaces

[Wheeler, John]

I might be nice to have this on hosts with lots of interfaces like in a
dmz. Otherwise you have to have something like tcp wrappers deny traffic
to the 5308 port on all interfaces but the control interface. It may
simplify things for some. Its potentially just another layer of
security.

-----Original Message-----
From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no] 
Sent: Monday, August 25, 2003 10:26 AM
To: Wheeler, John
Cc: Mark.Burgess@iu.hio.no; andre@digirati.com.br; help-cfengine@gnu.org
Subject: Re: Listening on specific interfaces


0.0.0.0 is not a specific interface but a wildcard IP address. It means
"allow connections from any client". If you bind to a specific IP then
you might restrict to traffic from a single host, but is that very
useful?

Mark

On 25 Aug, Wheeler, John wrote:
> Maybe I'm confused, but in cfservd.c version 2.0.6 line 749 you set
the
> interface to INADDR_ANY (below). I believe this means it will listen
on
> any interface that's up, or more specifically 0.0.0.0(?). If someone
is
> ambitious you could write a patch to have it listen on something from
> the config file.
> 
>     744 #else
>     745
>     746 bzero(&sin,sizeof(sin));
>     747
>     748 sin.sin_port = (unsigned short)(port); /*  Service returns
> network byte order */
>     749 sin.sin_addr.s_addr = INADDR_ANY;
>     750 sin.sin_family = AF_INET;
>     751
>     752 if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
>     753    {
>     754    CfLog(cferror,"Couldn't open socket","socket");
>     755    exit (1);
>     756    }
>     757
>     758 if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *) &yes,
> sizeof (int)) == -1)
>     759    {
>     760    CfLog(cferror,"Couldn't set socket options","sockopt");
>     761    exit (1);
> "cfservd.c" line 749 of 3248 --23%-- col 1
> 
> -----Original Message-----
> From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no] 
> Sent: Saturday, August 23, 2003 3:51 PM
> To: andre@digirati.com.br
> Cc: help-cfengine@gnu.org
> Subject: Re: Listening on specific interfaces
> 
> 
> 
> I think  that this is a function of your operating system, rather than
> of cfengine. It is implementation dependent which interface gets bound
> to by the listen function.
> 
> M
> 
> On 22 Aug, Andre Nathan wrote:
>> Hi
>> 
>> I have just installed cfengine for the first time on a test
> environment.
>> It's working fine for the simple tasks I configured, but I have one
>> doubt: currently, netstat shows "*:cfengine" in the "Local Address"
>> column when cfexecd is running. Is it possible to make it listen on
> one 
>> interface only, when I'm using a dual homed host?
>> 
>> Thanks in advance
>> Andre
>> 
>> 
>> 
>> _______________________________________________
>> Help-cfengine mailing list
>> Help-cfengine@gnu.org
>> http://mail.gnu.org/mailman/listinfo/help-cfengine
> 
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
> Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~