Subject: Re: Host access philosophy (Was: restricting NFS (and associated services) to one IP address)
To: Matthew Orgass <darkstar@city-net.com>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 10/11/2006 17:50:15
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Matthew" == Matthew Orgass <darkstar@city-net.com> writes:
    Thor> I think that if we provided sane primitives for discovering
    Thor> the set of valid destination addresses for a host, and binding
    Thor> a socket so that it would receive packets on _some addresses_
    Thor> (not one, and not all) it would be easy to add the kind of
    Thor> access control you seem to want (and which a lot of other
    Thor> people would probably like as well) to our applications.

    Thor> In this case, we would add it to mountd, rpcbind, and the
    Thor> in-kernel NFS server.  It would be a nice example of the
    Thor> interface, actually.

    >> I agree strongly.

    Matthew>   But should individual applications need to know about it?
  
  The "127.0.0.2" hack means that an application can pick one of three
things:
	a) 0.0.0.0 (present case)
	b) specific IP (often available, but NOT ALWAYS)

  Our mountd/etc. needs to have (b) added, at a minimum.

    Matthew> An alternative would be to let, say, inetd determine this
    Matthew> even for separate servers and provide a notification
    Matthew> interface if the server really needs to know what
    Matthew> interface/address(s) it is listening on.

  That sounds really complicated, but maybe I'm mis-understanding you.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRS1nFICLcPvd0N1lAQLQlgf/SNsCSTg0pXvJveR+h3x9nKGKzruioIOZ
iapbbtmM89N3oQXuztV2dxw0ZxqE5h6cCs5/cmmyR/bJsqcsvk9OHpbpTCZjiI6i
AP4iBcz4IuCRGOYBi6ckAAh1vp+w1K+VZ5NUfB6L+QiVC8TqKhioQJXQrZZFyWmN
ycahdaC0Xk8Y3yvcWiJbiBw9pggrZ+FnaYDkXvsTkTXjxHi9YBdd3KvbkUNHMzUO
mev7EfuAJa/fr6J66lCA0MKyOl8xfpFE9noAgW5+djpVILE6RXaTYmlrROSm1/i1
+5TvRmjNj4yYiEpOY46ntTysQFGnu0dXt7HfuOXBhFxTKkO7bOlOBA==
=C98M
-----END PGP SIGNATURE-----