tech-net: Re: Flag to exclude an interface from INADDR

Subject: Re: Flag to exclude an interface from INADDR_ANY?
To: Paul Goyette <paul@whooppee.com>
From: Jim Wise <jwise@draga.com>
List: tech-net
Date: 01/02/2002 11:25:59
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've given that some thought, but part of my concern is that this would
include adding such support to a wide range of third-party daemons, each
with their own config file or command-line syntax, and continuing to add
such support to such daemons as new versions and new programs hit
pkgsrc.  And this would mean never having such support in commercial
software which we do not have the source to.

Also, even with all daemons supporting such options, the process of
determining all running daemons (including those started by users,
posiibly built locally in their home directories), and determining the
correct syntax to specify an explicit interface for each.  And redoing
this process every time a new interface is added to the machine.  And
making daemon configs much more tied to the local host config, making
them less portable between machines.

All of which strikes me as inconvenient at best, and dangerously
error-prone in the usual case...

On Wed, 2 Jan 2002, Paul Goyette wrote:

>In my mind, it would be better to teach the INADDR_ANY daemons how to
>listen only on configured interfaces, rather than implement this new
>interface flag.
>
>On Wed, 2 Jan 2002, Jim Wise wrote:
>
>> Many daemons, including named, sshd, and sendmail, can be explicitly
>> given a set of interfaces to listen on.  They would be configured
>> normally to listen on the outside interface (or both interfaces, in a
>> strong-host-model environment).
>>
>> Other daemons, including those mentioned, can only listen on INADDR_ANY.
>> At this point, there is _no_ way to prevent them from listening on an
>> outside interface.  This would be addressed by the new flag.
>>
>> More generally, such a flag would provide an easy way to classify which
>> interfaces were to be used for general services, which is useful in many
>> situations.
>
>----------------------------------------------------------------------
>|   Paul Goyette   | PGP DSS Key fingerprint: |  E-mail addresses:   |
>| Network Engineer | BCD7 5301 9513 58A6 0DBC |  paul@whooppee.com   |
>|  & World Cruiser | 91EB ADB1 A280 3B79 9221 | pgoyette@juniper.net |
>----------------------------------------------------------------------
>

- -- 
				Jim Wise
				jwise@draga.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8MzSmN71lEcOYcw4RAtwXAKC/Sxldm6+mMiqq7il9Wvwq54rTrwCeNa+h
K0TESlvyHd+6qB8U5CPK4rc=
=Zm/j
-----END PGP SIGNATURE-----