[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Listening on specific interfaces
From: |
Mark . Burgess |
Subject: |
Re: Listening on specific interfaces |
Date: |
Mon, 25 Aug 2003 18:26:51 +0200 (MEST) |
Cfservd already has this kind of access control. You don't need
any more layers, I would say.
M
On 25 Aug, Wheeler, John wrote:
> I might be nice to have this on hosts with lots of interfaces like in a
> dmz. Otherwise you have to have something like tcp wrappers deny traffic
> to the 5308 port on all interfaces but the control interface. It may
> simplify things for some. Its potentially just another layer of
> security.
>
> -----Original Message-----
> From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no]
> Sent: Monday, August 25, 2003 10:26 AM
> To: Wheeler, John
> Cc: Mark.Burgess@iu.hio.no; andre@digirati.com.br; help-cfengine@gnu.org
> Subject: Re: Listening on specific interfaces
>
>
> 0.0.0.0 is not a specific interface but a wildcard IP address. It means
> "allow connections from any client". If you bind to a specific IP then
> you might restrict to traffic from a single host, but is that very
> useful?
>
> Mark
>
> On 25 Aug, Wheeler, John wrote:
>> Maybe I'm confused, but in cfservd.c version 2.0.6 line 749 you set
> the
>> interface to INADDR_ANY (below). I believe this means it will listen
> on
>> any interface that's up, or more specifically 0.0.0.0(?). If someone
> is
>> ambitious you could write a patch to have it listen on something from
>> the config file.
>>
>> 744 #else
>> 745
>> 746 bzero(&sin,sizeof(sin));
>> 747
>> 748 sin.sin_port = (unsigned short)(port); /* Service returns
>> network byte order */
>> 749 sin.sin_addr.s_addr = INADDR_ANY;
>> 750 sin.sin_family = AF_INET;
>> 751
>> 752 if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
>> 753 {
>> 754 CfLog(cferror,"Couldn't open socket","socket");
>> 755 exit (1);
>> 756 }
>> 757
>> 758 if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *) &yes,
>> sizeof (int)) == -1)
>> 759 {
>> 760 CfLog(cferror,"Couldn't set socket options","sockopt");
>> 761 exit (1);
>> "cfservd.c" line 749 of 3248 --23%-- col 1
>>
>> -----Original Message-----
>> From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no]
>> Sent: Saturday, August 23, 2003 3:51 PM
>> To: andre@digirati.com.br
>> Cc: help-cfengine@gnu.org
>> Subject: Re: Listening on specific interfaces
>>
>>
>>
>> I think that this is a function of your operating system, rather than
>> of cfengine. It is implementation dependent which interface gets bound
>> to by the listen function.
>>
>> M
>>
>> On 22 Aug, Andre Nathan wrote:
>>> Hi
>>>
>>> I have just installed cfengine for the first time on a test
>> environment.
>>> It's working fine for the simple tasks I configured, but I have one
>>> doubt: currently, netstat shows "*:cfengine" in the "Local Address"
>>> column when cfexecd is running. Is it possible to make it listen on
>> one
>>> interface only, when I'm using a dual homed host?
>>>
>>> Thanks in advance
>>> Andre
>>>
>>>
>>>
>>> _______________________________________________
>>> Help-cfengine mailing list
>>> Help-cfengine@gnu.org
>>> http://mail.gnu.org/mailman/listinfo/help-cfengine
>>
>>
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
>> Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>>
>>
>> _______________________________________________
>> Help-cfengine mailing list
>> Help-cfengine@gnu.org
>> http://mail.gnu.org/mailman/listinfo/help-cfengine
>>
>>
>> _______________________________________________
>> Help-cfengine mailing list
>> Help-cfengine@gnu.org
>> http://mail.gnu.org/mailman/listinfo/help-cfengine
>
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
> Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Listening on specific interfaces, Andre Nathan, 2003/08/22
- RE: Listening on specific interfaces, Wheeler, John, 2003/08/25
- RE: Listening on specific interfaces, Wheeler, John, 2003/08/25
- Re: Listening on specific interfaces,
Mark . Burgess <=
- Re: Listening on specific interfaces, Reenen Kroukamp, 2003/08/26
- Re: Listening on specific interfaces, Mark Burgess, 2003/08/27
- Re: Listening on specific interfaces, Chip Seraphine, 2003/08/27
- Re: Listening on specific interfaces, Reenen Kroukamp, 2003/08/27
- Re: Listening on specific interfaces, Mark . Burgess, 2003/08/27
RE: Listening on specific interfaces, Ferguson, Steve, 2003/08/25
RE: Listening on specific interfaces, Ferguson, Steve, 2003/08/27
RE: Listening on specific interfaces, Wheeler, John, 2003/08/27