Date: Mon, 27 Jul 1998 21:40:15 -0700 (PDT) From: Jim Shankland <jas@flyingfox.com> To: ben@rosengart.com Cc: security@FreeBSD.ORG Subject: Re: inetd enhancements (fwd) Message-ID: <199807280440.VAA12658@biggusdiskus.flyingfox.com> In-Reply-To: <Pine.GSO.4.02.9807271736080.28671-100000@echonyc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Snob Art Genre <benedict@echonyc.com> writes: > Ever since I learned how the sockets API supports binding to a > specific interface, I've wanted ways to use this in inet > software. As it is, I'm using tcp_wrappers to get equivalent > functionality, but this would certainly be more elegant. Careful there. The sockets API supports binding to a specific *address*, not interface. If your machine has two interfaces with addresses A and B, and you bind your server socket to address B, it will happily accept connections addressed to address B, but physically arriving via the "A" interface. In many situations, this can't happen, due to routing. E.g., if address B is 192.168.1.1, and I'm an Evil Hacker In Bulgaria, I'll be hard pressed to get packets addressed to 192.168.1.1 delivered to your server. On the other hand, in this case, an "inside" client can likely connect to services bound only to the "outside" address. And if the bad guy has control of your immediate upstream, s/he/it (the universal "bad guy" pronoun, often suffixed with "-head") could arrange to deliver packets addressed to your "inside" interface down your "outside" wire. Anyway, caveat emptor. The sockets API was written back when everyone was friends. Jim Shankland Flying Fox Computer Systems, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807280440.VAA12658>