Date: Mon, 27 Jul 1998 23:01:52 -0700 (PDT) From: Jim Shankland <jas@flyingfox.com> To: ben@rosengart.com Cc: security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) Message-ID: <199807280601.XAA13523@biggusdiskus.flyingfox.com> In-Reply-To: <Pine.GSO.4.02.9807280124550.13278-100000@echonyc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>From benedict@echonyc.com Mon Jul 27 22:31:23 1998 Date: Tue, 28 Jul 1998 01:29:04 -0400 (EDT) From: Reply-To: ben@rosengart.com To: Jim Shankland <jas@flyingfox.com> cc: ben@rosengart.com, security@freebsd.org Subject: Re: inetd enhancements (fwd) In-Reply-To: <199807280440.VAA12658@biggusdiskus.flyingfox.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Snob Art Genre <benedict@echonyc.com> writes: > On Mon, 27 Jul 1998, Jim Shankland wrote: > > > Careful there. The sockets API supports binding to a specific > > *address*, not interface.... > > Hrm, that's no good. But if I'm not mistaken, each interface > is configured with its own address. Does this not give the > system enough information to reject packets arriving on the > wrong interface for their address? Well, each interface is not necessarily configured with a *unique* address; think point-to-point interfaces reusing the address of an Ethernet interface. But yes, one could in theory enforce the restriction that packets are only accepted by a host if their destination address is one of the ones associated with that particular interface. However, this would break a few things. (We have a machine with 11 Ethernet interfaces -- hence, 11 IP addresses -- running BIND8 and serving about 80 domains. *One* of those IP addresses is listed as the name server for those 80 domains with InterNIC. It would be bad if users on the other 10 Ethernets couldn't address this nameserver to resolve the 80 domains.) > Are you sure that the system will accept packets for the wrong > interface? Try it :-). Jim Shankland Flying Fox Computer Systems, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807280601.XAA13523>