On 08.01.2010 16:56, Manuel Reimer wrote: > -------- Original-Nachricht -------- >> Datum: Fri, 08 Jan 2010 14:57:12 +0100 >> Von: Klaus Schmidinger <klaus.schmidin...@tvdr.de> >> An: VDR Mailing List <vdr@linuxtv.org> >> Betreff: Re: [vdr] [Patch] Allow to limit SVDRP port to given IP > >> What about svdrphosts.conf? > > It just denies someone to access. The port is still available, accessible and > in worst case also attackable. IIRC it is even required to accept the > connection at first, to find out the IP of the computer, which tries to > access and then to drop the connection in a second step. IMHO the better way, > from the security standpoint, is to get the port closed, so a potential > attacker isn't able to get to it at all. Most other daemons, which open > ports, allow such configuration, like cups, apache and others. > > svdrphosts.conf, of course, still is needed for fine-configuration of allowed > hosts (other daemons also have this), but limiting the port to localhost > would be the better alternative to just disabling svdrp by setting the port > to zero, as currently recommended in the INSTALL file. If someone wants to > configure his system to have a minimum of ports opened to the outside world > (like me), then *disabling* svdrp is never a good solution, as this breaks > scripts and other external features. > > The only thing, I'm unsure about, is, if we really need to specify an IP. A > simple switch like "--svdrp-localhost" (or similar) would also do the job. > But my first solution has the advantage, that there is no additional switch > needed.
How about this: if svdrphosts.conf contains only one single IP number, then open the port for only that IP number. Otherwise i needs to be opened generally, anyway. BTW: please don't CC: me - I am subscribed to the list ;-) Klaus _______________________________________________ vdr mailing list vdr@linuxtv.org http://www.linuxtv.org/cgi-bin/mailman/listinfo/vdr