Re: Can a daemon listen only on some interfaces?

To: debian-security@lists.debian.org
Subject: Re: Can a daemon listen only on some interfaces?
From: Michael Wood <mwood@its.uct.ac.za>
Date: Sat, 8 Dec 2001 13:25:16 +0200
Message-id: <[🔎] 20011208132516.A13626@marmite.its.uct.ac.za>
Mail-followup-to: Michael Wood <mwood@its.uct.ac.za>, debian-security@lists.debian.org

Hi

On Sat, Dec 08, 2001 at 07:40:06PM +1000, mdevin@ozemail.com.au wrote:
[snip]
> So, what I can figure out is that it seems that I have only
> the following daemons listening: postfix, sshd, cupsd,
> XF86_SVGA, portmap.
> 
> I have only deliberately decided to run postfix, sshd and
> cupsd.  Everything in /etc/inetd.conf is hashed out.  In fact
> I renamed the file so that it is not accessed at all.

Commenting everything out should be sufficient.

> The only ones I didn't know about in this list are portmap and
> XF86_SVGA.  Firstly, I can't seem to find the config file for
> X where you set the --nolisten parameter - but I have not
> unset this at any stage and I thought Debian did this by

Make sure your /etc/X11/xinit/xserverrc contains something like
this:

#!/bin/sh
exec /usr/bin/X11/X -dpi 100 -nolisten tcp

> default.  Secondly, I guess everyone needs portmap it seems,
> so I can't turn this off or some things won't work.  Someone
> please educate me here.

No.  You do not need portmap unless you're using NFS or
something like that.  (i.e. SUN RPC services.)  portmap is
started by /etc/init.d/portmap when your machine boots.  Disable
it.  (Why was portmap part of net-base to begin with?)

It you're using testing/unstable, portmap is in it's own package
(called portmap) and you should be able to uninstall it.

> So my question is:
> Is there some way to make certain daemons, (say postfix)
> listen only on some interfaces?  For example, I have
> everything firewalled from outside, so I really only need
> postfix to listen on the loopback interface for local
> connections.  Is this possible?

It's technically possible, but this depends on if the particular
daemon has support for this.  Postfix does.

Just put a line like this in main.conf:

inet_interfaces = localhost

> Then netstat -ln might show something like:
> tcp        0      0 0.0.0.0:25   127.0.0.1:* LISTEN
[snip]

Well, not quite :)  Here's what it looks like:

Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      

I have no idea if cups supports binding to a particular
interface, but the documentation should tell you.  If you can't
figure out how to do it or it's not possible without modifying
the source, you should use ipchains/iptables to restrict access
to the port it uses.

I hope this helps.

-- 
Michael Wood <mwood@its.uct.ac.za>

Reply to:

Follow-Ups:
- Re: Can a daemon listen only on some interfaces?
  - From: mdevin@ozemail.com.au
- Re: Can a daemon listen only on some interfaces?
  - From: Guido Hennecke <g.hennecke@t-online.de>

Prev by Date: ssh and root
Next by Date: sorry
Previous by thread: Re: Can a daemon listen only on some interfaces?
Next by thread: Re: Can a daemon listen only on some interfaces?
Index(es):
- Date
- Thread