Subject: Re: Host access philosophy (Was: restricting NFS (and associated services) to one IP address)
To: Matthew Orgass <darkstar@city-net.com>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 10/11/2006 17:50:15
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Matthew" == Matthew Orgass <darkstar@city-net.com> writes:
Thor> I think that if we provided sane primitives for discovering
Thor> the set of valid destination addresses for a host, and binding
Thor> a socket so that it would receive packets on _some addresses_
Thor> (not one, and not all) it would be easy to add the kind of
Thor> access control you seem to want (and which a lot of other
Thor> people would probably like as well) to our applications.
Thor> In this case, we would add it to mountd, rpcbind, and the
Thor> in-kernel NFS server. It would be a nice example of the
Thor> interface, actually.
>> I agree strongly.
Matthew> But should individual applications need to know about it?
The "127.0.0.2" hack means that an application can pick one of three
things:
a) 0.0.0.0 (present case)
b) specific IP (often available, but NOT ALWAYS)
Our mountd/etc. needs to have (b) added, at a minimum.
Matthew> An alternative would be to let, say, inetd determine this
Matthew> even for separate servers and provide a notification
Matthew> interface if the server really needs to know what
Matthew> interface/address(s) it is listening on.
That sounds really complicated, but maybe I'm mis-understanding you.
- --
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBRS1nFICLcPvd0N1lAQLQlgf/SNsCSTg0pXvJveR+h3x9nKGKzruioIOZ
iapbbtmM89N3oQXuztV2dxw0ZxqE5h6cCs5/cmmyR/bJsqcsvk9OHpbpTCZjiI6i
AP4iBcz4IuCRGOYBi6ckAAh1vp+w1K+VZ5NUfB6L+QiVC8TqKhioQJXQrZZFyWmN
ycahdaC0Xk8Y3yvcWiJbiBw9pggrZ+FnaYDkXvsTkTXjxHi9YBdd3KvbkUNHMzUO
mev7EfuAJa/fr6J66lCA0MKyOl8xfpFE9noAgW5+djpVILE6RXaTYmlrROSm1/i1
+5TvRmjNj4yYiEpOY46ntTysQFGnu0dXt7HfuOXBhFxTKkO7bOlOBA==
=C98M
-----END PGP SIGNATURE-----