Subject: Re: Host access philosophy (Was: restricting NFS (and associated
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
From: Matthew Orgass <darkstar@city-net.com>
List: tech-net
Date: 10/11/2006 16:59:54
On 2006-10-11 mcr@sandelman.ottawa.on.ca wrote:
> >>>>> "Thor" == Thor Lancelot Simon <tls@rek.tjls.com> writes:
>     Thor> I think that if we provided sane primitives for discovering
>     Thor> the set of valid destination addresses for a host, and binding
>     Thor> a socket so that it would receive packets on _some addresses_
>     Thor> (not one, and not all) it would be easy to add the kind of
>     Thor> access control you seem to want (and which a lot of other
>     Thor> people would probably like as well) to our applications.
>
>     Thor> In this case, we would add it to mountd, rpcbind, and the
>     Thor> in-kernel NFS server.  It would be a nice example of the
>     Thor> interface, actually.
>
>   I agree strongly.

  But should individual applications need to know about it?  An
alternative would be to let, say, inetd determine this even for separate
servers and provide a notification interface if the server really needs to
know what interface/address(s) it is listening on.

Matthew Orgass
darkstar@city-net.com