[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Listening on specific interfaces
|
From: |
Reenen Kroukamp |
|
Subject: |
Re: Listening on specific interfaces |
|
Date: |
Wed, 27 Aug 2003 17:51:12 +0200 |
|
User-agent: |
Mutt/1.5.4i |
Hi Mark,
...
> I'm not sure, but I suspect that there is a general misunderstanding
> here. When a server binds to an address, it binds to an address that
> it is *listening for traffic from*, not the address that it claims
> to be itself.
I have come across a few instances where servers, when daemons are not
bound to a specific ip, send outgoing replies via a different interface
from the one it received the packets on.
Hence, appart from the safety aspect this new feature would bring, which
you are referring to, binding to a specific interface may also come in
useful in these scenarios.
Furthermore, safety is about mitigating risk. Even had I the greatest
trust in something, I would never expose it on an outside interface
unless required.
If a service does not listen only on a specific ip, one should use
packet filter software to prevent access to it from anything but the
correct servers coming from the correct lans connected to the correct
physical interfaces.
This is paranoid, and it is good :)
As an example, recently Postfix, and OpenSSH springs to mind as 'good'
software which had security risks associated with them.
-Reenen
--
Reenen C Kroukamp <reenen@qualica.com>
Qualica Technologies (Pty) Ltd
http://www.qualica.com/
RE: Listening on specific interfaces, Ferguson, Steve, 2003/08/25
RE: Listening on specific interfaces, Ferguson, Steve, 2003/08/27
RE: Listening on specific interfaces, Wheeler, John, 2003/08/27