tech-net: Re: Flag to exclude an interface from INADDR

Subject: Re: Flag to exclude an interface from INADDR_ANY?
To: Jim Wise <jwise@draga.com>
From: Paul Goyette <paul@whooppee.com>
List: tech-net
Date: 01/02/2002 07:55:38

Then, what would you do if you _did_ want some daemons to listen on
all interfaces, but had other daemons which should listen only on a
subset?

Perhaps INADDR_MOST_BUT_NOT_ALL would be useful here?   :)

On Wed, 2 Jan 2002, Jim Wise wrote:

> Please note:  this is *not* a strong-vs-weak host model post.  I
> strongly believe a sysctl to choose strong or weak host model is in
> order, but this is a separate question, specifically:
>
> What do people think of the idea of adding a per-interface flag,
> settable with ifconfig, to indicate that an interface should not be
> included in INADDR_ANY?
>
> Such a flag would be especially useful in a strong host model of course,
> but even in the current model, there are many instances of hosts which
> have one or more interfaces on which it is not desirable to have daemons
> listening (think a management-lan interface, or the outside interface
> of a NAT or proxy gateway).
>
> As many daemons, (in particular all current RPC services) provide no way
> to limit the daemon to listening on a particular subset of interfaces on
> the system, it seems to me valuable to have the ability to indicate that
> an interface is _not_ intended to be listened on by general services.
>
> (And yes, of course this can be done with ipf, but let's face it, having
> a daemon actually listening on the undesired port and then blocking
> access with ipf in a way designed not to be picked up by port scanners
> is error-prone at best, and worse, subject to race conditions, such as
> connections in the brief interval between ipf stopping and starting when
> invoking /etc/rc.d/ipfilter reload).
>
> --
> 				Jim Wise
> 				jwise@draga.comSignature by unknown keyid: 0xC398730E
>

----------------------------------------------------------------------
|   Paul Goyette   | PGP DSS Key fingerprint: |  E-mail addresses:   |
| Network Engineer | BCD7 5301 9513 58A6 0DBC |  paul@whooppee.com   |
|  & World Cruiser | 91EB ADB1 A280 3B79 9221 | pgoyette@juniper.net |
----------------------------------------------------------------------