Re: Listening on specific interfaces

help-cfengine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Listening on specific interfaces

From:	Mark . Burgess
Subject:	Re: Listening on specific interfaces
Date:	Mon, 25 Aug 2003 18:26:51 +0200 (MEST)

Cfservd already has this kind of access control. You don't need
any more layers, I would say.

M


On 25 Aug, Wheeler, John wrote:
> I might be nice to have this on hosts with lots of interfaces like in a
> dmz. Otherwise you have to have something like tcp wrappers deny traffic
> to the 5308 port on all interfaces but the control interface. It may
> simplify things for some. Its potentially just another layer of
> security.
> 
> -----Original Message-----
> From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no] 
> Sent: Monday, August 25, 2003 10:26 AM
> To: Wheeler, John
> Cc: Mark.Burgess@iu.hio.no; andre@digirati.com.br; help-cfengine@gnu.org
> Subject: Re: Listening on specific interfaces
> 
> 
> 0.0.0.0 is not a specific interface but a wildcard IP address. It means
> "allow connections from any client". If you bind to a specific IP then
> you might restrict to traffic from a single host, but is that very
> useful?
> 
> Mark
> 
> On 25 Aug, Wheeler, John wrote:
>> Maybe I'm confused, but in cfservd.c version 2.0.6 line 749 you set
> the
>> interface to INADDR_ANY (below). I believe this means it will listen
> on
>> any interface that's up, or more specifically 0.0.0.0(?). If someone
> is
>> ambitious you could write a patch to have it listen on something from
>> the config file.
>> 
>>     744 #else
>>     745
>>     746 bzero(&sin,sizeof(sin));
>>     747
>>     748 sin.sin_port = (unsigned short)(port); /*  Service returns
>> network byte order */
>>     749 sin.sin_addr.s_addr = INADDR_ANY;
>>     750 sin.sin_family = AF_INET;
>>     751
>>     752 if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
>>     753    {
>>     754    CfLog(cferror,"Couldn't open socket","socket");
>>     755    exit (1);
>>     756    }
>>     757
>>     758 if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *) &yes,
>> sizeof (int)) == -1)
>>     759    {
>>     760    CfLog(cferror,"Couldn't set socket options","sockopt");
>>     761    exit (1);
>> "cfservd.c" line 749 of 3248 --23%-- col 1
>> 
>> -----Original Message-----
>> From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no] 
>> Sent: Saturday, August 23, 2003 3:51 PM
>> To: andre@digirati.com.br
>> Cc: help-cfengine@gnu.org
>> Subject: Re: Listening on specific interfaces
>> 
>> 
>> 
>> I think  that this is a function of your operating system, rather than
>> of cfengine. It is implementation dependent which interface gets bound
>> to by the listen function.
>> 
>> M
>> 
>> On 22 Aug, Andre Nathan wrote:
>>> Hi
>>> 
>>> I have just installed cfengine for the first time on a test
>> environment.
>>> It's working fine for the simple tasks I configured, but I have one
>>> doubt: currently, netstat shows "*:cfengine" in the "Local Address"
>>> column when cfexecd is running. Is it possible to make it listen on
>> one 
>>> interface only, when I'm using a dual homed host?
>>> 
>>> Thanks in advance
>>> Andre
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Help-cfengine mailing list
>>> Help-cfengine@gnu.org
>>> http://mail.gnu.org/mailman/listinfo/help-cfengine
>> 
>> 
>> 
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
>> Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> 
>> 
>> 
>> _______________________________________________
>> Help-cfengine mailing list
>> Help-cfengine@gnu.org
>> http://mail.gnu.org/mailman/listinfo/help-cfengine
>> 
>> 
>> _______________________________________________
>> Help-cfengine mailing list
>> Help-cfengine@gnu.org
>> http://mail.gnu.org/mailman/listinfo/help-cfengine
> 
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
> Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Prev in Thread]

Current Thread

[Next in Thread]

Listening on specific interfaces, Andre Nathan, 2003/08/22
- Re: Listening on specific interfaces, Mark . Burgess, 2003/08/23
- RE: Listening on specific interfaces, Wheeler, John, 2003/08/25
  - Re: Listening on specific interfaces, Mark . Burgess, 2003/08/25
    - Re: Listening on specific interfaces, Paul Heinlein, 2003/08/25
- RE: Listening on specific interfaces, Wheeler, John, 2003/08/25
  - Re: Listening on specific interfaces, Mark . Burgess <=
    - Re: Listening on specific interfaces, Reenen Kroukamp, 2003/08/26
    - Re: Listening on specific interfaces, Mark Burgess, 2003/08/27
    - Re: Listening on specific interfaces, Chip Seraphine, 2003/08/27
    - Re: Listening on specific interfaces, Reenen Kroukamp, 2003/08/27
    - Re: Listening on specific interfaces, Mark . Burgess, 2003/08/27
- RE: Listening on specific interfaces, Ferguson, Steve, 2003/08/25
- RE: Listening on specific interfaces, Ferguson, Steve, 2003/08/27
  - Re: [Cfengine] RE: Listening on specific interfaces, Bas van der Vlies, 2003/08/27
    - Re: [Cfengine] RE: Listening on specific interfaces, Mark Burgess, 2003/08/27
- RE: Listening on specific interfaces, Wheeler, John, 2003/08/27

Prev by Date: Re: Listening on specific interfaces
Next by Date: Re: Listening on specific interfaces
Previous by thread: RE: Listening on specific interfaces
Next by thread: Re: Listening on specific interfaces
Index(es):
- Date
- Thread