From owner-freebsd-questions@freebsd.org Wed Jan 31 11:07:29 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 54132EC39EB for ; Wed, 31 Jan 2018 11:07:29 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from bede.home.qeng-ho.org (bede.qeng-ho.org [217.155.128.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "fileserver.home.qeng-ho.org", Issuer "fileserver.home.qeng-ho.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D7D5E7EB21 for ; Wed, 31 Jan 2018 11:07:28 +0000 (UTC) (envelope-from freebsd@qeng-ho.org) Received: from arthur.home.qeng-ho.org (arthur.home.qeng-ho.org [172.23.1.2]) by bede.home.qeng-ho.org (8.15.2/8.15.2) with ESMTP id w0VAqcFY039337; Wed, 31 Jan 2018 10:52:38 GMT (envelope-from freebsd@qeng-ho.org) Subject: Re: LPD listen directive? To: byrnejb@harte-lyne.ca, freebsd-questions@freebsd.org References: <870deecf052d36d03aae9613410b38ba.squirrel@webmail.harte-lyne.ca> From: Arthur Chance Message-ID: <8109ee79-2871-67bc-4279-36ed9fe5a36b@qeng-ho.org> Date: Wed, 31 Jan 2018 10:52:38 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: <870deecf052d36d03aae9613410b38ba.squirrel@webmail.harte-lyne.ca> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jan 2018 11:07:29 -0000 On 30/01/2018 21:48, James B. Byrne via freebsd-questions wrote: > Can lpd be configured such that it listens only on specific IP > addresses? If so where and how is it done? We are running lpd and > cups on the same host. Cups is configured to only listen on the > loopback address. But lpd is listening on all available addresses. > > netstat -a | grep LISTEN > tcp4 0 0 localhost.domain *.* LISTEN > tcp6 0 0 localhost.domain *.* LISTEN > tcp4 0 0 localhost.ssh *.* LISTEN > tcp4 0 0 192.168.216.44.ssh *.* LISTEN > tcp4 0 0 vhost04.ssh *.* LISTEN > tcp4 0 0 vhost04.2222 *.* LISTEN > tcp4 0 0 localhost.ftp-proxy *.* LISTEN > tcp4 0 0 localhost.ipp *.* LISTEN > tcp6 0 0 localhost.ipp *.* LISTEN > tcp4 0 0 vhost04.smtp *.* LISTEN > tcp4 0 0 localhost.smtp *.* LISTEN > tcp4 0 0 *.printer *.* LISTEN > tcp6 0 0 *.printer *.* LISTEN > Quick hint: sockstat -l is (IMO) a better way to show what listening sockets are open. I haven't actually tried this, so can't guarantee it's totally correct, but in theory you can use jail(8) to lock any program down to one address. I believe a command like jail path=/ ip4.addr=1.2.3.4 ip6=disable cmd ... would run cmd with only the IPv4 address 1.2.3.4 usable and IPv6 locked out totally. The path=/ bit sets the root of the jail to see the full file system as normal. Using this with an /etc/rc.d/* service files would probably require tweaking the shutdown command to kill the relevant jail. -- An amusing coincidence: log2(58) = 5.858 (to 0.0003% accuracy).