Hi Lucas, Thank you much for clarifications. Because i everywhere try to restrict everything to internal interfaces except services which should be exposed to public. This approach simplifies firewall management. However if this is ok i think i will leave it open.
Regards On Jul 19, 2014, at 12:40 AM, Lukas Tribus <[email protected]> wrote: > Hi Serghei, > >> >> Hi guys. >> >> In my config file there is a string: >> log 127.0.0.1 local6 info >> After haproxy restart i receive UDP listener which listens on >> *:<non-priv port>. >> Is there a way to restrict it to some interface/address? >> 127.0.0.1 for example? > > It's not currently possible to restrict this UDP socket afaict. > > We should probably implement a "source" argument for the log keyword here, > binding the UDP socket to that IP locally. We can then also force a box with > multiple routable IP addresses to use a specific IP address for logging and > it will also allow to restrict the UDP socket to localhost (by specifying > source 127.0.0.1). > > Anyway, there is no security issue here, haproxy calls shutdown() on this > socket at the beginning, so incoming udp traffic on this particular socket > is dropped early (never makes it to the application). > > > > Regards, > > Lukas > >
