From owner-freebsd-hackers  Fri Feb 20 14:51:41 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA19782
          for freebsd-hackers-outgoing; Fri, 20 Feb 1998 14:51:41 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from localhost.zilker.net (jump-x2-0118.jumpnet.com [207.8.61.118])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA19737
          for <freebsd-hackers@freebsd.org>; Fri, 20 Feb 1998 14:50:42 -0800 (PST)
          (envelope-from marquard@zilker.net)
Received: (from marquard@localhost) by localhost.zilker.net (8.8.8/8.8.3) id QAA04793; Fri, 20 Feb 1998 16:50:14 -0600 (CST)
To: freebsd-hackers@FreeBSD.ORG
Subject: Re: getting remote side of tcp connection's address before accept()?
References: <199802202049.MAA06914@precipice.shockwave.com>
From: Dave Marquardt <marquard@zilker.net>
Date: 20 Feb 1998 16:49:43 -0600
In-Reply-To: Paul Traina's message of "Fri, 20 Feb 1998 12:49:20 -0800"
Message-ID: <85zpjl3n94.fsf@localhost.zilker.net>
Lines: 36
X-Mailer: Quassia Gnus v0.22/XEmacs 19.16 - "Lille"
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Paul Traina <pst@Shockwave.COM> writes:
> I'd like to be able to refuse tcp connections to a particular daemon
> from a certain list of addresses.
> 
> What I'd ideally like to do is bind and listen on a socket, then
> when a connection request comes in, check the remote peer's address
> information, and allow the connection only if the address info
> was correct.
> 
> If I do it with a standard:
> 
> 		bind
> 		listen
> 		accept
> 		if (!good_address)
> 			close
> 			
> The tcp connection is accepted and then closed.  I want the TCP
> connection to be refused, never accepted.
> 
> Under ISO/TP4, the accept(2) and recvmsg(2) manual pages inply you
> can pull this off by closing the accept'ed socket before ever doing
> any real read/write operations to it.
> 
> Has anyone ever pulled this off with tcp sockets?

Well, this isn't possible using the same mechanism in the usual BSD
code, unless you go into the protosw entry for TCP and turn on the
PR_WANTRCVD flag (I think) and rebuild your kernel.  Completely
non-portable, obviously.  You might read "TCP/IP Illustrated" by
Stevens and Wright for more information on this.

I'm completely unfamiliar with ipfw, but you might investigate it.

-Dave


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message