Subject: Re: Host access philosophy (Was: restricting NFS (and associated
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
From: Matthew Orgass <darkstar@city-net.com>
List: tech-net
Date: 10/11/2006 16:59:54
On 2006-10-11 mcr@sandelman.ottawa.on.ca wrote:
> >>>>> "Thor" == Thor Lancelot Simon <tls@rek.tjls.com> writes:
> Thor> I think that if we provided sane primitives for discovering
> Thor> the set of valid destination addresses for a host, and binding
> Thor> a socket so that it would receive packets on _some addresses_
> Thor> (not one, and not all) it would be easy to add the kind of
> Thor> access control you seem to want (and which a lot of other
> Thor> people would probably like as well) to our applications.
>
> Thor> In this case, we would add it to mountd, rpcbind, and the
> Thor> in-kernel NFS server. It would be a nice example of the
> Thor> interface, actually.
>
> I agree strongly.
But should individual applications need to know about it? An
alternative would be to let, say, inetd determine this even for separate
servers and provide a notification interface if the server really needs to
know what interface/address(s) it is listening on.
Matthew Orgass
darkstar@city-net.com