Re: Can a daemon listen only on some interfaces?

To: mdevin@ozemail.com.au
Cc: debian-security@lists.debian.org
Subject: Re: Can a daemon listen only on some interfaces?
From: Petro <petro@auctionwatch.com>
Date: Sat, 8 Dec 2001 11:22:19 -0800
Message-id: <[🔎] 20011208192219.GA21336@auctionwatch.com>
In-reply-to: <uXugfD.A.IDD.j8dE8@murphy>
References: <uXugfD.A.IDD.j8dE8@murphy>

On Sat, Dec 08, 2001 at 01:40:06AM -0800, mdevin@ozemail.com.au wrote:
> After reading a previous thread about stopping services from listening
> on certains ports, I decided to investigate things a little further for
> my system.
> So, what I can figure out is that it seems that I have only the
> following daemons listening: postfix, sshd, cupsd, XF86_SVGA, portmap.
> I have only deliberately decided to run postfix, sshd and cupsd.
> Everything in /etc/inetd.conf is hashed out.  In fact I renamed the file
> so that it is not accessed at all.

    Better just not to start inetd at all. man inetd and update-rc.d 

> The only ones I didn't know about in this list are portmap and
> XF86_SVGA.  Firstly, I can't seem to find the config file for X where
> you set the --nolisten parameter - but I have not unset this at any
> stage and I thought Debian did this by default.  Secondly, I guess
> everyone needs portmap it seems, so I can't turn this off or some things
> won't work.  Someone please educate me here.

    Can't help with the X thing, IMO nothing running X should be talking
    directly to an untrusted network (clarification, X runs on
    workstations, workstations should not be run directly on untrusted
    networks as they have *users* on them, and users do stupid things,
    even sysadmins do stupid things as users sometimes). 

    But, as far as portmap, well, man portmap to start, but if you're
    not using NIS, NFS and the like (anything that would need portmap)
    then disable it. (hint: /etc/init.d/portmap, man update-rc.d).  

> 
> So my question is:
> Is there some way to make certain daemons, (say postfix) listen only on
> some interfaces?  For example, I have everything firewalled from

    This is per-daemon. Some can (named, apache, IIRC postfix) some
    cannot (I assume, but I don't know any off the top of my head). 

> outside, so I really only need postfix to listen on the loopback
> interface for local connections.  Is this possible?

    If postfix isn't dealing with incoming mail (i.e. from another
    machine) then it doesn't need to run as a daemon at all. At least
    sendmail didn't, and I assume postfix could mimick this behavior.
    Just run it out of cron for delivery. 

-- 
Share and Enjoy.

Reply to:

Prev by Date: Re: Can a daemon listen only on some interfaces?
Next by Date: Fw: Can a daemon listen only on some interfaces?
Previous by thread: Re: Can a daemon listen only on some interfaces?
Next by thread: Re: Can a daemon listen only on some interfaces?
Index(es):
- Date
- Thread