On 08.01.2010 16:56, Manuel Reimer wrote:
> -------- Original-Nachricht --------
>> Datum: Fri, 08 Jan 2010 14:57:12 +0100
>> Von: Klaus Schmidinger <klaus.schmidin...@tvdr.de>
>> An: VDR Mailing List <vdr@linuxtv.org>
>> Betreff: Re: [vdr] [Patch] Allow to limit SVDRP port to given IP
>> What about svdrphosts.conf?
> It just denies someone to access. The port is still available, accessible and 
> in worst case also attackable. IIRC it is even required to accept the 
> connection at first, to find out the IP of the computer, which tries to 
> access and then to drop the connection in a second step. IMHO the better way, 
> from the security standpoint, is to get the port closed, so a potential 
> attacker isn't able to get to it at all. Most other daemons, which open 
> ports, allow such configuration, like cups, apache and others.
> svdrphosts.conf, of course, still is needed for fine-configuration of allowed 
> hosts (other daemons also have this), but limiting the port to localhost 
> would be the better alternative to just disabling svdrp by setting the port 
> to zero, as currently recommended in the INSTALL file. If someone wants to 
> configure his system to have a minimum of ports opened to the outside world 
> (like me), then *disabling* svdrp is never a good solution, as this breaks 
> scripts and other external features.
> The only thing, I'm unsure about, is, if we really need to specify an IP. A 
> simple switch like "--svdrp-localhost" (or similar) would also do the job. 
> But my first solution has the advantage, that there is no additional switch 
> needed.

How about this: if svdrphosts.conf contains only one single IP number, then
open the port for only that IP number. Otherwise i needs to be opened generally,

BTW: please don't CC: me - I am subscribed to the list ;-)


vdr mailing list

Reply via email to