Re: [PHP] Re: How to limit source IP in PHP
On Tue, Sep 18, 2012 at 9:15 AM, Ian php_l...@fishnet.co.uk wrote: Hi Curtis, I am suffering from sleep deprivation due to a new family addition and I fail to see how your code will prevent a malicious user from binding to an IP that I do not want him to. It appears to be an example of how to bind to an IP, not how to prevent it. Could you please explain? Congrats on the new little one, Ian, and if you don't already know, you're in for a long ride of sleepless nights. Get used to it. That aside, please start a new thread if you'd like to discuss that in greater detail, as it will go off-topic from and out of scope of the originally-posted question. Others subscribed to the thread may not want to be bothered with the discussion, while others who are ignoring the thread (thinking it's a long, drawn-out, beating-a-dead-horse discussion) may never see a valuable discussion take place. -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: How to limit source IP in PHP
Il 18/09/2012 16:24, Daniel Brown ha scritto: On Tue, Sep 18, 2012 at 9:15 AM, Ian php_l...@fishnet.co.uk wrote: Hi Curtis, I am suffering from sleep deprivation due to a new family addition and I fail to see how your code will prevent a malicious user from binding to an IP that I do not want him to. It appears to be an example of how to bind to an IP, not how to prevent it. Could you please explain? Congrats on the new little one, Ian, and if you don't already know, you're in for a long ride of sleepless nights. Get used to it. That aside, please start a new thread if you'd like to discuss that in greater detail, as it will go off-topic from and out of scope of the originally-posted question. Others subscribed to the thread may not want to be bothered with the discussion, while others who are ignoring the thread (thinking it's a long, drawn-out, beating-a-dead-horse discussion) may never see a valuable discussion take place. Please, continue in this thread. I do not see too how your suggestion can avoid malicious coding. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: How to limit source IP in PHP
On 9/14/2012 7:20 AM, Ian wrote: On 12/09/2012 14:53, Tonix (Antonio Nati) wrote: Is there a way to force a PHP script to bind to a prefixed IP? Actually, while you can assign more IPs to Apache for listening, assigning domains to specific IPs, it looks like any PHP script can freely choose which IP to bind. Instead I'd love some domains are permitted to open connections only from the domain IP. In FreeBSD I do it easily, setting up dedicated jails for domains. But how to do it simply using PHP on Linux? Regards, Tonino Hi, I think its been established now that this cannot be done by any php configuration so you will have to use other methods. You could configure iptables to only allow outgoing packets from specific IPs using the 'owner' module: http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html (search for 'owner'). There is also SELINUX. Or you could look at container based virtualisation like OpenVZ. Regards Ian 1. |if (function_exists('stream_context_create') function_exists('stream_socket_client')) {| 2. |$socket_options = array('socket' = array('bindto' = '192.0.2.1:0'));| 3. |$socket_context = stream_context_create($socket_options);| 4. |$socket = stream_socket_client('ssl://xmlapi.example.org:9090', $errno,| 5. |$errstr, 30, STREAM_CLIENT_CONNECT, $socket_context);| 6. |} else {| 7. |$socket = @fsockopen( ssl://xmlapi.example.org , 9090 , $errno , $errstr , 30 );| 8. |}| Google is your friend.