RE: Make popa3d listen on specific interface
> nomally popa3d is not listing at all, inetd is. > > 1) add to /etc/rc.conf: > inetd_flags="-wW -a 192.168.254.3" You are, of course, correct. Thanks, that is just what I wanted! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Make popa3d listen on specific interface
> > I could be way off on my logic, and my understanding of tcp/ip, so > > correct me if I'm wrong. > > Not at all; you're dead on. > The only thing I'm trying to warn you about is that binding to a > specific address is having a fairly small effect on your security in > this case. For belt-and-suspenders protection, you'd be somewhat > better off with a more sophisticated POP server which can bind to > the inside interface directly instead of just the address. Well, I'm big on security, but not an expert. On my XP Pro box, I run Zone Alarm Pro for *outgoing* security, as well as being behind the firewall. On my Redhat 9 box, I have it configured for the security suggestions in the "Linux Benchmark v1.0.0" on the Center for Internet Security. http://www.cisecurity.org/. I also run Tripwire, and a custom security report. I'm not at all opposed to changing pop servers, I selected popa3d based *only* on the 1-line description in the packages section of sysinstall. Which one would you recommend? Which is the *be-all, do-all, big-daddy* pop server in Packages? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Make popa3d listen on specific interface
"Charles Howse" <[EMAIL PROTECTED]> writes: > Let me throw this in: > This is a home network, behind a Cable Modem and 4-port Cable/DSL router > w/ firewall. > Port 110 is closed on the firewall. Ports 80,20 and 21 are open on > another machine in the DMZ. > That said ( and I'm no expert ) wouldn't it be acceptable for *my* > situation to bind to an address? > That way, anyone wanting to crack into the pop server on this machine > would have to get past the firewall, and then discover the address the > pop server on this machine is listening on...? Nmap woud certainly do > that, *if* they got in. > I run a pop server on the Redhat machine next to the FreeBSD machine, no > problems ever there. > I could be way off on my logic, and my understanding of tcp/ip, so > correct me if I'm wrong. Not at all; you're dead on. The only thing I'm trying to warn you about is that binding to a specific address is having a fairly small effect on your security in this case. For belt-and-suspenders protection, you'd be somewhat better off with a more sophisticated POP server which can bind to the inside interface directly instead of just the address. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Make popa3d listen on specific interface
> > /* > > * The address and port to listen on. > > */ > > #define DAEMON_ADDR "0.0.0.0" /* INADDR_ANY */ > > #define DAEMON_PORT 110 > > > > but I have to mention that I dunno if the port can handle this. :/ > > must check first > > But at least it should be possible to bind popa3d to a > specific interface. > > Yes, you *can* bind to an address that way. > However, you can't bind to an interface that easily, > which is really required to do this as a security > measure. A firewall may be protecting you from > source-spoofed packets, but then you're back to, > well, depending on the firewall for the real security. Let me throw this in: This is a home network, behind a Cable Modem and 4-port Cable/DSL router w/ firewall. Port 110 is closed on the firewall. Ports 80,20 and 21 are open on another machine in the DMZ. That said ( and I'm no expert ) wouldn't it be acceptable for *my* situation to bind to an address? That way, anyone wanting to crack into the pop server on this machine would have to get past the firewall, and then discover the address the pop server on this machine is listening on...? Nmap woud certainly do that, *if* they got in. I run a pop server on the Redhat machine next to the FreeBSD machine, no problems ever there. I could be way off on my logic, and my understanding of tcp/ip, so correct me if I'm wrong. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Make popa3d listen on specific interface
Frank Reppin <[EMAIL PROTECTED]> writes: > wouldn't it be possible to change this whilst editing > within the source? I just downloaded popa3d > and it shows: > > /* > * The address and port to listen on. > */ > #define DAEMON_ADDR "0.0.0.0" /* INADDR_ANY */ > #define DAEMON_PORT 110 > > but I have to mention that I dunno if the port can handle this. :/ > must check first > But at least it should be possible to bind popa3d to a specific interface. Yes, you *can* bind to an address that way. However, you can't bind to an interface that easily, which is really required to do this as a security measure. A firewall may be protecting you from source-spoofed packets, but then you're back to, well, depending on the firewall for the real security. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Make popa3d listen on specific interface
Hi, Lowell Gilbert wrote: "Charles Howse" <[EMAIL PROTECTED]> writes: Below is a portion of netstat -an. Notice that my pop server (popa3d) is listening on all interfaces. tcp4 0 0 *.110 *.* LISTEN wouldn't it be possible to change this whilst editing within the source? I just downloaded popa3d and it shows: /* * The address and port to listen on. */ #define DAEMON_ADDR "0.0.0.0" /* INADDR_ANY */ #define DAEMON_PORT 110 but I have to mention that I dunno if the port can handle this. :/ must check first But at least it should be possible to bind popa3d to a specific interface. I really don't need this, not doing any internet pop'ing, just doing LAN mail. Is there any way to make popa3d listen on 192.168.254.3? No. You need a smarter server for that. You can use a firewall to protect it, but it doesn't know or care about IP interfaces. HTH, frank -- 43rd Law of Computing: Anything that can go wr fortune: Segmentation violation -- Core dumped ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Make popa3d listen on specific interface
"Charles Howse" <[EMAIL PROTECTED]> writes: > Below is a portion of netstat -an. > Notice that my pop server (popa3d) is listening on all interfaces. > > tcp4 0 0 *.110 *.* > LISTEN > > I really don't need this, not doing any internet pop'ing, just doing LAN > mail. > Is there any way to make popa3d listen on 192.168.254.3? No. You need a smarter server for that. You can use a firewall to protect it, but it doesn't know or care about IP interfaces. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
