Eric Cooper wrote:
On Thu, Feb 26, 2009 at 04:07:54PM +0300, Michael Tokarev wrote:
[]
F.e. my single eth0 interface here on a machine in a DMZ has two
addresses, one "external" visible from outside, and second in
range 192.168.x.x, -- this last one should be used by approx to
listen to. If I specify eth0, approx will listen on the external
address instead.
Approx supports tcp_wrappers, so you can restrict it using
/etc/hosts.allow and hosts.deny.
Hmm. Ok, when I do ldd on the binary or look at the dependencies, I
see librwap reference. But it's nowhere in the documentation... So
here's yet another wish list item -- at least mention which service
name (approx?) it uses for tcp_wrappers :)
In any way, there's no need to protect something using tcp_wrappers
if it's trivial to set it up so it'll be invisible from the networks
it isn't supposed to serve. I think anyway -- less chances for mis-
behavour or [D]DoS, less processing (no need to accept(2) incoming
connection), less noize in logs etc.
Almost any other network-aware program out there nowadays asks for
the IP _address_ to bind to, not an interface name. And sure thing,
approx fails to start when given an IP address, with misleading
diagnostics "unable to obtain IP address for interface 192.168.1.4".
Well, the documentation does say "interface", not "IP address".
Yes. As I mentioned before, using interface here is sort of relic because
for long time, on linux at least, there's no more "one IP per interface"
concept. Since kernel-2.0 at least, I think. Some programs uses this
term - "interface" - still, like ping, unbound (which is new program
by the way), but uses it in terms of "interface *address*" (while sometimes
you can specify interface NAME here too, which will work the same way
as approx currently does). Like this:
ping: ... [-I interface or address] ...
unbound:
interface: <ip address>
Interface to use to connect to the network. [...]
(this one is misleading too)
And so on. Because what this option really does is to specify
listening ADDRESS (used in listen(2) system call), -- there's
no syscall for a socket to specify INTERFACE. (Well, there are
"advanced" socket options for that, but that's not an average
usage).
Many programs allows to be run from inetd, which, in turn, lets
one to configure IP address(es) to listen on, connection rates,
allowed/denied networks and the like (nothing from that is
implemented by approx). But approx does not run in one-shot mode
either.
I will add this to the wishlist.
That'd be nice too. Thanks!
So for me, in its current form approx is unusable. And I were
tempted to mark this bug as grave, but using "normal" severity
still.
If tcp_wrappers solves the problem for you, I would argue that this
should be wishlist priority.
Well. I finally solved the problem by reconfiguring my network settings
and using different names (labels) for each IP address assigned to my eth0.
This way I was allowed to specify eth0:lan as $interface parameter and
approx does the Right Thing, finally. This broke ntpd which also does
not have similar option and insists on listening on everything (before it
was seeing only first address, now it sees all), but that's another story.
Yes, "grave" is definitely not appropriate for this, and now when everything
is settled I'd agree it's a wishlist (or 3 of them at once ;). It's just
so happened that in recent several weeks, almost every thing I'm trying to
do stops at various problems/defects in software, and I'm really tired of
all this, because I can't do my work, fighting with various issues instead...
Hence my over-reaction.
Thank you Eric!
/mjt
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
