* Alexander Reelsen ([EMAIL PROTECTED]) [010910 01:24]:
> On Sun, Sep 09, 2001 at 06:31:57PM -0400, hpknight wrote:
> > It depends on the process that is binding the port. If you're using
> > xinetd you can specify which interface to bind the port on. If the
> > program/daemon doesn't allow you to specify interfaces, then you're stuck
> > .. unless you want to do some fancy stuff with ipchains/iptables to
> > redirect ports, or hack up the daemon.
> inetd also has this feature (not very well documented).
> use service@ip in inetd.conf in order to use that feature.
How's that? in my example, I'd like exim to bind only to the loopback
interface. I tried either of these 2 lines, with the respective error
from /var/log/daemon.log following each:
[EMAIL PROTECTED] stream tcp nowait mail /usr/sbin/exim exim -bs
Sep 10 17:32:28 gobo inetd[14915]: [EMAIL PROTECTED]/tcp: unknown service
smtp@lo stream tcp nowait mail /usr/sbin/exim exim -bs
Sep 10 17:42:11 gobo inetd[14992]: smtp@lo/tcp: unknown service
This is on sid, with
ii netkit-inetd 0.10-8 The Internet Superserver
I googled around for a while and found no mention anywhere of the
functionality you mention in inetd. If you know how, I'd appreciate it.
> xinetd is nicer, anyway :-)
Agreed. The other boxes I admin use xinetd.
>
> First binding then firewalling is a bad idea, someone might be able to
> access that service via spoofing or other dirty tricks...
Agreed again. I generally like to bind only to the interface I want to
receive connections on, and in addition, use tcp wrappers and firewall
rules to make for redundant security.
--
Vineet http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
PGP signature
