From owner-freebsd-security  Mon Jul 27 21:38:40 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA00266
          for freebsd-security-outgoing; Mon, 27 Jul 1998 21:38:40 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from biggusdiskus.flyingfox.com (biggusdiskus.flyingfox.com [205.162.1.28])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA00261
          for <security@freebsd.org>; Mon, 27 Jul 1998 21:38:35 -0700 (PDT)
          (envelope-from jas@flyingfox.com)
Received: (from jas@localhost)
	by biggusdiskus.flyingfox.com (8.8.8/8.8.5) id VAA12658;
	Mon, 27 Jul 1998 21:40:15 -0700 (PDT)
Date: Mon, 27 Jul 1998 21:40:15 -0700 (PDT)
From: Jim Shankland <jas@flyingfox.com>
Message-Id: <199807280440.VAA12658@biggusdiskus.flyingfox.com>
To: ben@rosengart.com
Subject: Re: inetd enhancements (fwd)
Cc: security@FreeBSD.ORG
In-Reply-To: <Pine.GSO.4.02.9807271736080.28671-100000@echonyc.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Snob Art Genre <benedict@echonyc.com> writes:

> Ever since I learned how the sockets API supports binding to a
> specific interface, I've wanted ways to use this in inet
> software.  As it is, I'm using tcp_wrappers to get equivalent
> functionality, but this would certainly be more elegant.

Careful there.  The sockets API supports binding to a specific
*address*, not interface.  If your machine has two interfaces
with addresses A and B, and you bind your server socket to address
B, it will happily accept connections addressed to address B,
but physically arriving via the "A" interface.

In many situations, this can't happen, due to routing.  E.g.,
if address B is 192.168.1.1, and I'm an Evil Hacker In
Bulgaria, I'll be hard pressed to get packets addressed to
192.168.1.1 delivered to your server.  On the other hand, in this
case, an "inside" client can likely connect to services bound
only to the "outside" address.  And if the bad guy has control
of your immediate upstream, s/he/it (the universal "bad guy"
pronoun, often suffixed with "-head") could arrange to deliver
packets addressed to your "inside" interface down your "outside"
wire.

Anyway, caveat emptor.  The sockets API was written back when everyone
was friends.

Jim Shankland
Flying Fox Computer Systems, Inc.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message