[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Listening on specific interfaces
|
From: |
Mark Burgess |
|
Subject: |
Re: Listening on specific interfaces |
|
Date: |
Wed, 27 Aug 2003 08:14:27 +0200 (MEST) |
On 26 Aug, Reenen Kroukamp wrote:
>
> When allowing a server to bind to an IP you can ensure a specific
> source address/interface for packets coming from cfservd.
>
> On Mon, Aug 25, 2003 at 06:26:51PM +0200, Mark.Burgess@iu.hio.no wrote:
>>
>> Cfservd already has this kind of access control. You don't need
>> any more layers, I would say.
>>
>> M
> ...
>
I'm not sure, but I suspect that there is a general misunderstanding
here. When a server binds to an address, it binds to an address that
it is *listening for traffic from*, not the address that it claims
to be itself.
Servers generally bind to 0.0.0.0 whih means, I'm accepting traffic
from anyone in principle.
In cfservd, there is access control after this, based on IP addresses
that allows to to then reject traffic unconditionally before a potential
client has had any opportunity to send any data. This means that there
is no possibility of exploiting any possible bug, not any advantage to
binding to an individal client address.
So to everyone who has brought this up: I think this is a Red Herring.
There is no advantage to binding to any other address. As for listening
on only a single interface -- I just don't know how to do that.
Mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RE: Listening on specific interfaces, Ferguson, Steve, 2003/08/25
RE: Listening on specific interfaces, Ferguson, Steve, 2003/08/27
RE: Listening on specific interfaces, Wheeler, John, 2003/08/27