* Alexander Reelsen (ref@tretmine.org) [010910 01:24]: > On Sun, Sep 09, 2001 at 06:31:57PM -0400, hpknight wrote: > > It depends on the process that is binding the port. If you're using > > xinetd you can specify which interface to bind the port on. If the > > program/daemon doesn't allow you to specify interfaces, then you're stuck > > .. unless you want to do some fancy stuff with ipchains/iptables to > > redirect ports, or hack up the daemon. > inetd also has this feature (not very well documented). > use service@ip in inetd.conf in order to use that feature. How's that? in my example, I'd like exim to bind only to the loopback interface. I tried either of these 2 lines, with the respective error from /var/log/daemon.log following each: smtp@127.0.0.1 stream tcp nowait mail /usr/sbin/exim exim -bs Sep 10 17:32:28 gobo inetd[14915]: smtp@127.0.0.1/tcp: unknown service smtp@lo stream tcp nowait mail /usr/sbin/exim exim -bs Sep 10 17:42:11 gobo inetd[14992]: smtp@lo/tcp: unknown service This is on sid, with ii netkit-inetd 0.10-8 The Internet Superserver I googled around for a while and found no mention anywhere of the functionality you mention in inetd. If you know how, I'd appreciate it. > xinetd is nicer, anyway :-) Agreed. The other boxes I admin use xinetd. > > First binding then firewalling is a bad idea, someone might be able to > access that service via spoofing or other dirty tricks... Agreed again. I generally like to bind only to the interface I want to receive connections on, and in addition, use tcp wrappers and firewall rules to make for redundant security. -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
Attachment:
pgpIt6RrR7kGl.pgp
Description: PGP signature