Re: Can a daemon listen only on some interfaces?
Hi
On Sat, Dec 08, 2001 at 07:40:06PM +1000, mdevin@ozemail.com.au wrote:
[snip]
> So, what I can figure out is that it seems that I have only
> the following daemons listening: postfix, sshd, cupsd,
> XF86_SVGA, portmap.
>
> I have only deliberately decided to run postfix, sshd and
> cupsd. Everything in /etc/inetd.conf is hashed out. In fact
> I renamed the file so that it is not accessed at all.
Commenting everything out should be sufficient.
> The only ones I didn't know about in this list are portmap and
> XF86_SVGA. Firstly, I can't seem to find the config file for
> X where you set the --nolisten parameter - but I have not
> unset this at any stage and I thought Debian did this by
Make sure your /etc/X11/xinit/xserverrc contains something like
this:
#!/bin/sh
exec /usr/bin/X11/X -dpi 100 -nolisten tcp
> default. Secondly, I guess everyone needs portmap it seems,
> so I can't turn this off or some things won't work. Someone
> please educate me here.
No. You do not need portmap unless you're using NFS or
something like that. (i.e. SUN RPC services.) portmap is
started by /etc/init.d/portmap when your machine boots. Disable
it. (Why was portmap part of net-base to begin with?)
It you're using testing/unstable, portmap is in it's own package
(called portmap) and you should be able to uninstall it.
> So my question is:
> Is there some way to make certain daemons, (say postfix)
> listen only on some interfaces? For example, I have
> everything firewalled from outside, so I really only need
> postfix to listen on the loopback interface for local
> connections. Is this possible?
It's technically possible, but this depends on if the particular
daemon has support for this. Postfix does.
Just put a line like this in main.conf:
inet_interfaces = localhost
> Then netstat -ln might show something like:
> tcp 0 0 0.0.0.0:25 127.0.0.1:* LISTEN
[snip]
Well, not quite :) Here's what it looks like:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
I have no idea if cups supports binding to a particular
interface, but the documentation should tell you. If you can't
figure out how to do it or it's not possible without modifying
the source, you should use ipchains/iptables to restrict access
to the port it uses.
I hope this helps.
--
Michael Wood <mwood@its.uct.ac.za>
Reply to: