Thanks, I think this answers my questions -----Original Message----- From: Peter Crowther [mailto:[EMAIL PROTECTED] Sent: Monday, June 12, 2006 9:08 AM To: Tomcat Users List Subject: RE: Restricting access to localhost for an HTTP connector - Email has different SMTP TO: and MIME TO: fields in the email addresses
> From: Mark Claassen [mailto:[EMAIL PROTECTED] Say Tomcat is on a > machine called TestMachine. > If I put "127.0.0.1" in the address field, it accepts connections of > the form "http: //127.0.0.1/..." only It does not accept connections > from "http: > //TestMachine/...", even though > the server is this same machine. > I was hoping that it would accept all connections from the local > machine, regardless of what the connection was called. > > Is there a way to do this? Yes. Add '127.0.0.1 TestMachine' into testmachine's /etc/hosts file. > Is this be design? Yes - IP design. If you make a connection to an IP address, the receiving socket must be bound to that IP address. If the name TestMachine maps to (say) 10.0.0.1, the IP stack will make the outbound connection to 10.0.0.1:80. But here you've elected not to bind the socket to 10.0.0.1:80, so the inbound connection will fail. > Can IP spoofing get around this protection? Not trivially, as you have to spoof the destination IP address, not the source. I wouldn't like to spoof it over the Internet - you'd have to compromise each router by some means. Yes on the same subnet, by obtaining the MAC address for one of TestMachine's network adapters and crafting an IP datagram with a forged destination address. This could be protected against by the input policy on the adapter blocking datagrams with a 127.0.0.1 destination address - or, in fact, any address other than one of the legitimate IP addresses bound to that adapter (plus any multicasts you use). - Peter --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
