Subject: Re: Flag to exclude an interface from INADDR_ANY?
To: None <>
From: Greg A. Woods <>
List: tech-net
Date: 01/02/2002 17:28:44
[ On Wednesday, January 2, 2002 at 10:04:10 (-0500), Jim Wise wrote: ]
> Subject: Flag to exclude an interface from INADDR_ANY?
> Such a flag would be especially useful in a strong host model of course,
> but even in the current model, there are many instances of hosts which
> have one or more interfaces on which it is not desirable to have daemons
> listening (think a management-lan interface, or the outside interface
> of a NAT or proxy gateway).

It's not such a bad idea.  However I'd rather have daemons learn to do
this stuff properly (as inetd, named, and I think ntpd, already can do).
INADDR_ANY is more like a kludge on any multi-homed host.

> (And yes, of course this can be done with ipf, but let's face it, having
> a daemon actually listening on the undesired port and then blocking
> access with ipf in a way designed not to be picked up by port scanners
> is error-prone at best, and worse, subject to race conditions, such as
> connections in the brief interval between ipf stopping and starting when
> invoking /etc/rc.d/ipfilter reload).

There had damn well better not be any race condition on 'ipfilter reload'!
Ipf does not stop and start when it is reloaded -- it reloads properly
and safely.  If there is any window where either the old filters, or the
new filters, are not active then that would be a big bad ugly kernel bug.

								Greg A. Woods

+1 416 218-0098;  <>;  <>;  <>
Planix, Inc. <>; VE3TCP; Secrets of the Weird <>