[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fw: Can a daemon listen only on some interfaces?

----- Original Message -----
From: Guido Hennecke <g.hennecke@t-online.de>
To: <debian-security@lists.debian.org>
Sent: Sunday, December 09, 2001 8:14 AM
Subject: Re: Fw: Can a daemon listen only on some interfaces?


> At 09.12.2001, mdevin@ozemail.com.au wrote:
> [...]
> > And thanks for all the replies.  In fact I was most interested to hear
> > that you could not make daemons listen on only one interface but you
> > could make them bind to an IP address range.  I guess that is what I
> > achieved in my postfix main.cf file with the line:
> > inet_interfaces = localhost
>
> Yes, if you take a look with "netstat -ln | grep 25" you will see
> something like that:
>
> tcp        0      0 127.0.0.1:25              0.0.0.0:*    LISTEN
>
> This means, that the service is listening on 127.0.0.1. The Interface is
> "lo". If an attacker in the same network sets a route like that:
>
>         127.0.0.1  Gateway <your official ip address>   Interface <his
>         externel interface>
Couldn't this be countered with:
ipchains -i !lo -d 127.0.0.1 -j DENY
?

Phil
>
> he can reach your service bound to 127.0.0.1. And this without
> activating ip_forward on your computer!
>
> This is easy to circumvent with ipchains or iptables.
>
> Regards, Guido
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
>
Reply to: