From owner-freebsd-security  Mon Jul 27 23:00:17 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA07868
          for freebsd-security-outgoing; Mon, 27 Jul 1998 23:00:17 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from biggusdiskus.flyingfox.com (biggusdiskus.flyingfox.com [205.162.1.28])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA07854
          for <security@freebsd.org>; Mon, 27 Jul 1998 23:00:11 -0700 (PDT)
          (envelope-from jas@flyingfox.com)
Received: (from jas@localhost)
	by biggusdiskus.flyingfox.com (8.8.8/8.8.5) id XAA13523;
	Mon, 27 Jul 1998 23:01:52 -0700 (PDT)
Date: Mon, 27 Jul 1998 23:01:52 -0700 (PDT)
From: Jim Shankland <jas@flyingfox.com>
Message-Id: <199807280601.XAA13523@biggusdiskus.flyingfox.com>
To: ben@rosengart.com
Subject: Re: inetd enhancements (fwd)
Cc: security@FreeBSD.ORG
In-Reply-To: <Pine.GSO.4.02.9807280124550.13278-100000@echonyc.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>From benedict@echonyc.com Mon Jul 27 22:31:23 1998
Date: Tue, 28 Jul 1998 01:29:04 -0400 (EDT)
From: 
Reply-To: ben@rosengart.com
To: Jim Shankland <jas@flyingfox.com>
cc: ben@rosengart.com, security@freebsd.org
Subject: Re: inetd enhancements (fwd)
In-Reply-To: <199807280440.VAA12658@biggusdiskus.flyingfox.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Snob Art Genre <benedict@echonyc.com> writes:

> On Mon, 27 Jul 1998, Jim Shankland wrote:
> 
> > Careful there.  The sockets API supports binding to a specific
> > *address*, not interface....
> 
> Hrm, that's no good.  But if I'm not mistaken, each interface
> is configured with its own address.  Does this not give the
> system enough information to reject packets arriving on the
> wrong interface for their address?

Well, each interface is not necessarily configured with a *unique*
address; think point-to-point interfaces reusing the address of
an Ethernet interface.  But yes, one could in theory enforce the
restriction that packets are only accepted by a host if their
destination address is one of the ones associated with that
particular interface.  However, this would break a few things.
(We have a machine with 11 Ethernet interfaces -- hence, 11 IP
addresses -- running BIND8 and serving about 80 domains.  *One*
of those IP addresses is listed as the name server for those 80
domains with InterNIC.  It would be bad if users on the other
10 Ethernets couldn't address this nameserver to resolve the 80
domains.)

> Are you sure that the system will accept packets for the wrong
> interface?

Try it :-).

Jim Shankland
Flying Fox Computer Systems, Inc.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message