----- Original Message ----- From: Guido Hennecke <[EMAIL PROTECTED]> To: <[email protected]> Sent: Sunday, December 09, 2001 8:14 AM Subject: Re: Fw: Can a daemon listen only on some interfaces?
> At 09.12.2001, [EMAIL PROTECTED] wrote: > [...] > > And thanks for all the replies. In fact I was most interested to hear > > that you could not make daemons listen on only one interface but you > > could make them bind to an IP address range. I guess that is what I > > achieved in my postfix main.cf file with the line: > > inet_interfaces = localhost > > Yes, if you take a look with "netstat -ln | grep 25" you will see > something like that: > > tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN > > This means, that the service is listening on 127.0.0.1. The Interface is > "lo". If an attacker in the same network sets a route like that: > > 127.0.0.1 Gateway <your official ip address> Interface <his > externel interface> Couldn't this be countered with: ipchains -i !lo -d 127.0.0.1 -j DENY ? Phil > > he can reach your service bound to 127.0.0.1. And this without > activating ip_forward on your computer! > > This is easy to circumvent with ipchains or iptables. > > Regards, Guido > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > >
