Date: Mon, 17 Jan 2011 14:22:51 +0100 From: joris dedieu <joris.dedieu@gmail.com> To: Julian Elischer <julian@freebsd.org> Cc: freebsd-hackers <freebsd-hackers@freebsd.org> Subject: Re: Fwd: binding non local ip. Message-ID: <AANLkTik5AkZ7izcscKp-9CVuUNv6Zzz-me5SyEpVwbqf@mail.gmail.com> In-Reply-To: <4D2CA5E8.9070003@freebsd.org> References: <AANLkTimJBkTdgs4P=XjHyTCinfCOn0Ku8bEVcR-q=Dzc@mail.gmail.com> <4D274C5E.500@freebsd.org> <AANLkTimyOFs4%2BHTPzhjkJnRYQfV3A_77M3zZsM2PXXkO@mail.gmail.com> <AANLkTiniSFrHV8Z84uH2H3HdLaFm7Kj=xS5Tyv0y1cfc@mail.gmail.com> <4D2CA5E8.9070003@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Julian and many thanks for your comments. 2011/1/11 Julian Elischer <julian@freebsd.org>: > On 1/9/11 3:01 PM, joris dedieu wrote: >> >> ---------- Forwarded message ---------- >> From: joris dedieu<joris.dedieu@gmail.com> >> Date: 2011/1/9 >> Subject: Re: binding non local ip. >> To: Julian Elischer<julian@freebsd.org> >> >> >> 2011/1/7 Julian Elischer<julian@freebsd.org>: >>> >>> On 1/7/11 4:57 AM, joris dedieu wrote: >>>> >>>> Hi, >>>> I need a to bind non local ips =A0daemons that don't >>>> implement IP_BINDANY sockopt. >>> >>> I'm not sure you need it >>> you can use the ipfw 'fwd' command to make a locally bound >>> socket act and look as if it is bound to a non local address >>> >>> You need to tell us a little more about what you need to do >>> >>> for example, >>> Is the socket just listenning? or is it initiating? >> >> listenning I think. >> Typicaly prepare a spare server. >> eg: >> - Failover as with carp but with more complexes actions has shutting >> down the power of the main server, check data consistency, check if >> the problem is not just a reboot or a buggy service that =A0need to be >> restarted. > > A listenning server can be listenning on a local port and address. > Use ipfw 'fwd' to force it to accept a non-local address socket. > the local address of the listenning socket will be switched to that > of the address on the session. > > e.g. > ipfw add 100 fwd 127.0.0.1,80 tcp from any to 111.123.123.123 in recv em0 > > your local server listenning on 127.0.0.1:80 will end up with a socket wi= th > a local > address of 111.123.123.123 =A0even if that is not any address of yours. > >> - Switch an ip from a main server to a already configured proxy (during = a >> dos) >> - monitor that spare service is running. > > this is easy as shown above As I said above there are several workarounds depending on the context. I agree enabling ipfw is not the worst. In my thought, the goal of this pat= ch is just to offer a simple answer to a simple question. How to bind a non local ip under FreeBSD ? For now the answer is implement = it with IP_BINDANY or do has if (with firewalling) or do it an other way. I know it. I do it that way on my job every days. I just think "turn on sysctl.XXX.YYY", is one of those little things you ar= e happy to find. Best regards Joris > >>>> There are several solutions as patching every single daemon >>>> or using carp (You may not want automatic failover), jailing >>>> the process and of course binding INADDR_ANY when possible ... >>>> >>>> As I'm too lazy for this, I wrote a little (maybe ugly as my >>>> kernel knowledges are really low) patch that add a sysctl >>>> entry in net.inet.ip that allow binding non local ips. It's >>>> maybe buggy and insecure but it seems to work. >>> >>> seems ok, but if the daemon is initiating, how does it know to bind to = a >>> non >>> local address? >> >> It doesn't know. That's the goal. So when the address became local >> it's already ready. So you don't discover that it's misconfigured or >> broken, or that else your dummy colleague has imagined :) . You or a >> script ifconfig the alias and back to bed ! >>> >>> also. if you have source, a single setsockopt() in each one is not much >>> of a >>> job.. >> >> I already do this for haproxy and for apr. But (for haproxy) it seems >> to be too specific to be integrated upstreams. For other services (as >> tomcat) that don't know privileges dropping it's more problematic as >> IP_BINDANY needs in most case root privileges. >> >> I think that a system wide solution should be a good thing. >> Joris >>> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTik5AkZ7izcscKp-9CVuUNv6Zzz-me5SyEpVwbqf>