[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fw: Can a daemon listen only on some interfaces?

At 09.12.2001, mdevin@ozemail.com.au wrote:
[...]
> And thanks for all the replies.  In fact I was most interested to hear
> that you could not make daemons listen on only one interface but you
> could make them bind to an IP address range.  I guess that is what I
> achieved in my postfix main.cf file with the line:
> inet_interfaces = localhost

Yes, if you take a look with "netstat -ln | grep 25" you will see
something like that:

tcp        0      0 127.0.0.1:25              0.0.0.0:*    LISTEN

This means, that the service is listening on 127.0.0.1. The Interface is
"lo". If an attacker in the same network sets a route like that:

        127.0.0.1  Gateway <your official ip address>   Interface <his
        externel interface>

he can reach your service bound to 127.0.0.1. And this without
activating ip_forward on your computer!

This is easy to circumvent with ipchains or iptables.

Regards, Guido
Reply to: