From owner-freebsd-ports@FreeBSD.ORG  Fri May 12 23:16:49 2006
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
X-Original-To: freebsd-ports@freebsd.org
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 266BC16A4C0
	for <freebsd-ports@freebsd.org>; Fri, 12 May 2006 23:16:49 +0000 (UTC)
	(envelope-from jdc@parodius.com)
Received: from mx1.parodius.com (mx1.parodius.com [64.62.145.229])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E717143D45
	for <freebsd-ports@freebsd.org>; Fri, 12 May 2006 23:16:48 +0000 (GMT)
	(envelope-from jdc@parodius.com)
Received: by mx1.parodius.com (Postfix, from userid 500)
	id C65E56008; Fri, 12 May 2006 16:16:48 -0700 (PDT)
Date: Fri, 12 May 2006 16:16:48 -0700
From: Jeremy Chadwick <freebsd@jdc.parodius.com>
To: freebsd-ports@freebsd.org
Message-ID: <20060512231648.GA63826@pentarou.parodius.com>
Mail-Followup-To: freebsd-ports@freebsd.org
References: <4464F565.30807@calarts.edu>
	<dd964322538e85ef91e2d0168653200d@ugh.net.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <dd964322538e85ef91e2d0168653200d@ugh.net.au>
X-PGP-Key: http://jdc.parodius.com/pubkey.asc
User-Agent: Mutt/1.5.11
Subject: Re: FreeBSD Port: poppassd-4.0_2
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2006 23:16:49 -0000

On Fri, May 12, 2006 at 11:49:15PM +0100, Andrew wrote:
> On 12/05/2006, at 9:51 PM, Sean Murphy wrote:
> >is there anyway to restrict this daemon to listen only on 127.0.0.1 
> >local host?
> 
> poppassd is called by inetd so thats where you need to look. The 
> easiest method would probably be to use tcp wrappers. See the inetd man 
> page for details but basically run inetd with -w and edit 
> /etc/hosts.allow.

tcpwrappers should not be relied upon in any way shape or form for
security.  Application-level IP checking should only be used as a
last resort.  Why?  Because for tcpwrappers to work, the client has
to already have an established TCP or UDP socket.  By then it's too
late -- the socket has already been established, which means the
attacker, at a bare minimum, knows what service(s) you're running on
your machine.  Not good.  :-)

If poppassd can't run as a daemon and bind to a specific interface or
IP itself (and must run under inetd), then I'd recommend replacing
inetd on your systems with xinetd -- which does offer per-service
per-interface binding (inetd offers interface binding via the -a flag,
but for all services).

Simple security rule: do not bind to an interface or IP which you do
not want to receive (insert-service-here) packets via.

-- 
| Jeremy Chadwick                                 jdc at parodius.com |
| Parodius Networking                        http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, USA |
| Making life hard for others since 1977.                             |