Subject: Re: Flag to exclude an interface from INADDR_ANY?
To: None <email@example.com>
From: Greg A. Woods <firstname.lastname@example.org>
Date: 01/02/2002 17:28:44
[ On Wednesday, January 2, 2002 at 10:04:10 (-0500), Jim Wise wrote: ]
> Subject: Flag to exclude an interface from INADDR_ANY?
> Such a flag would be especially useful in a strong host model of course,
> but even in the current model, there are many instances of hosts which
> have one or more interfaces on which it is not desirable to have daemons
> listening (think a management-lan interface, or the outside interface
> of a NAT or proxy gateway).
It's not such a bad idea. However I'd rather have daemons learn to do
this stuff properly (as inetd, named, and I think ntpd, already can do).
INADDR_ANY is more like a kludge on any multi-homed host.
> (And yes, of course this can be done with ipf, but let's face it, having
> a daemon actually listening on the undesired port and then blocking
> access with ipf in a way designed not to be picked up by port scanners
> is error-prone at best, and worse, subject to race conditions, such as
> connections in the brief interval between ipf stopping and starting when
> invoking /etc/rc.d/ipfilter reload).
There had damn well better not be any race condition on 'ipfilter reload'!
Ipf does not stop and start when it is reloaded -- it reloads properly
and safely. If there is any window where either the old filters, or the
new filters, are not active then that would be a big bad ugly kernel bug.
Greg A. Woods
+1 416 218-0098; <email@example.com>; <firstname.lastname@example.org>; <email@example.com>
Planix, Inc. <firstname.lastname@example.org>; VE3TCP; Secrets of the Weird <email@example.com>