[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Can a daemon listen only on some interfaces?

On Sat, Dec 08, 2001 at 01:25:16PM +0200, Michael Wood wrote:
> Hi
> On Sat, Dec 08, 2001 at 07:40:06PM +1000, mdevin@ozemail.com.au wrote:
> [snip]
> > So, what I can figure out is that it seems that I have only
> > the following daemons listening: postfix, sshd, cupsd,
> > XF86_SVGA, portmap.
> > 
> > I have only deliberately decided to run postfix, sshd and
> > cupsd.  Everything in /etc/inetd.conf is hashed out.  In fact
> > I renamed the file so that it is not accessed at all.
> Commenting everything out should be sufficient.

Yep did that too.  Do you think I should move the completely commented
file back to /etc/inetd.conf?
> > The only ones I didn't know about in this list are portmap and
> > XF86_SVGA.  Firstly, I can't seem to find the config file for
> > X where you set the --nolisten parameter - but I have not
> > unset this at any stage and I thought Debian did this by
> Make sure your /etc/X11/xinit/xserverrc contains something like
> this:
> #!/bin/sh
> exec /usr/bin/X11/X -dpi 100 -nolisten tcp

Hmmm.  This file did not exist on my computer.  I don't know why.  I
just assumed that it would have the nolisten parameter as default.  I
remember reading somewhere that Debian did this - but I guess I did not

In any case, I created the file with just the 2 lines you have above and
then stopped and restarted X.  It seems to have fixed that (see below).

> > default.  Secondly, I guess everyone needs portmap it seems,
> > so I can't turn this off or some things won't work.  Someone
> > please educate me here.
> No.  You do not need portmap unless you're using NFS or
> something like that.  (i.e. SUN RPC services.)  portmap is
> started by /etc/init.d/portmap when your machine boots.  Disable
> it.  (Why was portmap part of net-base to begin with?)
> It you're using testing/unstable, portmap is in it's own package
> (called portmap) and you should be able to uninstall it.

I couldn't find the portmap package.  I am running potato with 2.4
kernel stuff from Adrian Bunk's site.  I did apt-cache search portmap -
but only found "scotty".  Which is not installed on my system.  Then I
did some google searches to see if I could remove the package it is in,
but couldn't find anything.

In the end I just did:
update-rc.d -f portmap remove
And that fixed it (see below).  But I would prefer to remove the whole
program from my system if that can be done with a simple apt-get remove
--purge command.
> > So my question is:
> > Is there some way to make certain daemons, (say postfix)
> > listen only on some interfaces?  For example, I have
> > everything firewalled from outside, so I really only need
> > postfix to listen on the loopback interface for local
> > connections.  Is this possible?
> It's technically possible, but this depends on if the particular
> daemon has support for this.  Postfix does.
> Just put a line like this in main.conf:
> inet_interfaces = localhost
> > Then netstat -ln might show something like:
> > tcp        0      0* LISTEN
> [snip]
> Well, not quite :)  Here's what it looks like:
> Proto Recv-Q Send-Q Local Address  Foreign Address State      
> tcp        0      0*       LISTEN

Ahhh.  Thanks for that.  I put that line in my main.cf for postfix and
did a reload.
> I have no idea if cups supports binding to a particular
> interface, but the documentation should tell you.  If you can't
> figure out how to do it or it's not possible without modifying
> the source, you should use ipchains/iptables to restrict access
> to the port it uses.

I just did a bit more looking into this and found that indeed CUPS does
allow you to specify which interfaces it listens on.  I put the
following line in /etc/cups/cupsd.conf
and that seems to have fixed that.
> I hope this helps.

Thanks a lot - it was very helpful and educational.

Now here is the output of netstat -ln (looking much better):

# netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State      
tcp        0      0*       LISTEN      
tcp        0      0*       LISTEN      
tcp        0      0*       LISTEN      
Active UNIX domain sockets (only servers)
Proto RefCnt Flags   Type   State     I-Node Path
unix  2      [ ACC ] STREAM LISTENING 69748  private/cleanup
unix  2      [ ACC ] STREAM LISTENING 69755  private/rewrite
unix  2      [ ACC ] STREAM LISTENING 69759  private/bounce
unix  2      [ ACC ] STREAM LISTENING 69763  private/defer
unix  2      [ ACC ] STREAM LISTENING 69771  public/showq
unix  2      [ ACC ] STREAM LISTENING 69767  private/smtp
unix  2      [ ACC ] STREAM LISTENING 69775  private/error
unix  2      [ ACC ] STREAM LISTENING 69779  private/local
unix  2      [ ACC ] STREAM LISTENING 69783  private/cyrus
unix  2      [ ACC ] STREAM LISTENING 69787  private/uucp
unix  2      [ ACC ] STREAM LISTENING 69791  private/ifmail
unix  2      [ ACC ] STREAM LISTENING 69795  private/bsmtp
unix  2      [ ACC ] STREAM LISTENING 1010   /dev/log
unix  2      [ ACC ] STREAM LISTENING 1226   /dev/gpmctl
unix  2      [ ACC ] STREAM LISTENING 64908  /tmp/.X11-unix/X0
unix  2      [ ACC ] STREAM LISTENING 64934  /tmp/ssh-JywB5237/agent.5237

Ahhh.  That looks much better.  Now it seems that the only daemon
listening on the internet side of my computer is ssh.

I do want sshd to listen on all ( but I would like to find a way
to make it only accept connection attempts for a certain user from the
internet but still allow several other users to connect from the LAN.  I
do know how to make it accept connections for only certain users - by
using the AllowUsers config item in /etc/ssh/sshd_config.  But this
allows all the users specified, to connect on all interfaces ssh listens
on, which is not what I want ideally.  What would be better, is to allow
several from the LAN to connect but only one (me) from the internet.
This doesn't seem possible from my reading so far.  Oh well.

Thanks for the educational points.


Attachment: pgpuoyK3dPvRc.pgp
Description: PGP signature

Reply to: