[ On Wednesday, January 2, 2002 at 10:04:10 (-0500), Jim Wise wrote: ]
> Subject: Flag to exclude an interface from INADDR_ANY?
>
> Such a flag would be especially useful in a strong host model of course,
> but even in the current model, there are many instances of hosts which
> have one or more interfaces on which it is not desirable to have daemons
> listening (think a management-lan interface, or the outside interface
> of a NAT or proxy gateway).

It's not such a bad idea.  However I'd rather have daemons learn to do
this stuff properly (as inetd, named, and I think ntpd, already can do).
INADDR_ANY is more like a kludge on any multi-homed host.

> (And yes, of course this can be done with ipf, but let's face it, having
> a daemon actually listening on the undesired port and then blocking
> access with ipf in a way designed not to be picked up by port scanners
> is error-prone at best, and worse, subject to race conditions, such as
> connections in the brief interval between ipf stopping and starting when
> invoking /etc/rc.d/ipfilter reload).

There had damn well better not be any race condition on 'ipfilter reload'!
Ipf does not stop and start when it is reloaded -- it reloads properly
and safely.  If there is any window where either the old filters, or the
new filters, are not active then that would be a big bad ugly kernel bug.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>