Re: Listening on specific interfaces

[Mark Burgess]

>>Servers generally bind to 0.0.0.0 whih means, I'm accepting traffic
> from >anyone in principle.
> 
> This is untrue, and I'd actually argue the opposite. Not being
> judgmental, but this may be the source of your confusion. I
> specifically bind both tomcat and apache to specific address for load
> balancing. It simplifies load balancing configuration, moving and
> expanding sites, configuration management...etc.
> 
> If the need for this is still not clear, please read up on why any
> server binds to an IP address. The security implications are paramount
> and this generally accepted security practice is something cfengine
> could use.

Ok there are 2 things and then I'm finished with the discussion:

1. You are right about the binding address. It is the IP address
   of an interface that bind connects to, not a client address.
   So indeed it is possible to bind to *either*

    a) only one interface with a specific IP address
    b) a wildcard address 0.0.0.0 (INADDR_ANY)

   I was wrong about this and have learned something new.

2. Until I started writing this messgae I could not think of
a single useful application for this, but there is in fact one:
key exchange. It might make trusted key exchange with the server
less vulnerable to spoofing time windows, under very special
circumstances.

So it's only a 99.5% Red Herring

Mark

PS - please don't explain to me otherwise. Let's just implement
it and be done with. It is a trivial modification.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~