Re: Fw: Can a daemon listen only on some interfaces?
----- Original Message -----
From: Guido Hennecke <g.hennecke@t-online.de>
To: <debian-security@lists.debian.org>
Sent: Sunday, December 09, 2001 8:14 AM
Subject: Re: Fw: Can a daemon listen only on some interfaces?
> At 09.12.2001, mdevin@ozemail.com.au wrote:
> [...]
> > And thanks for all the replies. In fact I was most interested to hear
> > that you could not make daemons listen on only one interface but you
> > could make them bind to an IP address range. I guess that is what I
> > achieved in my postfix main.cf file with the line:
> > inet_interfaces = localhost
>
> Yes, if you take a look with "netstat -ln | grep 25" you will see
> something like that:
>
> tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
>
> This means, that the service is listening on 127.0.0.1. The Interface is
> "lo". If an attacker in the same network sets a route like that:
>
> 127.0.0.1 Gateway <your official ip address> Interface <his
> externel interface>
Couldn't this be countered with:
ipchains -i !lo -d 127.0.0.1 -j DENY
?
Phil
>
> he can reach your service bound to 127.0.0.1. And this without
> activating ip_forward on your computer!
>
> This is easy to circumvent with ipchains or iptables.
>
> Regards, Guido
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
>
Reply to: