Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 31 Jan 2018 10:52:38 +0000
From:      Arthur Chance <freebsd@qeng-ho.org>
To:        byrnejb@harte-lyne.ca, freebsd-questions@freebsd.org
Subject:   Re: LPD listen directive?
Message-ID:  <8109ee79-2871-67bc-4279-36ed9fe5a36b@qeng-ho.org>
In-Reply-To: <870deecf052d36d03aae9613410b38ba.squirrel@webmail.harte-lyne.ca>
References:  <870deecf052d36d03aae9613410b38ba.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 30/01/2018 21:48, James B. Byrne via freebsd-questions wrote:
> Can lpd be configured such that it listens only on specific IP
> addresses?  If so where and how is it done?  We are running lpd and
> cups on the same host.  Cups is configured to only listen on the
> loopback  address.  But lpd is listening on all available addresses.
> 
>  netstat -a | grep LISTEN
> tcp4       0      0 localhost.domain       *.*                    LISTEN
> tcp6       0      0 localhost.domain       *.*                    LISTEN
> tcp4       0      0 localhost.ssh          *.*                    LISTEN
> tcp4       0      0 192.168.216.44.ssh     *.*                    LISTEN
> tcp4       0      0 vhost04.ssh            *.*                    LISTEN
> tcp4       0      0 vhost04.2222           *.*                    LISTEN
> tcp4       0      0 localhost.ftp-proxy    *.*                    LISTEN
> tcp4       0      0 localhost.ipp          *.*                    LISTEN
> tcp6       0      0 localhost.ipp          *.*                    LISTEN
> tcp4       0      0 vhost04.smtp           *.*                    LISTEN
> tcp4       0      0 localhost.smtp         *.*                    LISTEN
> tcp4       0      0 *.printer              *.*                    LISTEN
> tcp6       0      0 *.printer              *.*                    LISTEN
> 

Quick hint: sockstat -l is (IMO) a better way to show what listening
sockets are open.

I haven't actually tried this, so can't guarantee it's totally correct,
but in theory you can use jail(8) to lock any program down to one
address. I believe a command like

jail path=/ ip4.addr=1.2.3.4 ip6=disable cmd ...

would run cmd with only the IPv4 address 1.2.3.4 usable and IPv6 locked
out totally. The path=/ bit sets the root of the jail to see the full
file system as normal.

Using this with an /etc/rc.d/* service files would probably require
tweaking the shutdown command to kill the relevant jail.

-- 
An amusing coincidence: log2(58) = 5.858 (to 0.0003% accuracy).

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8109ee79-2871-67bc-4279-36ed9fe5a36b>