Re: restrict implicit binding to interfaces

David Schwartz wrote:
On Oct 29, 4:13 am, Wolfgang Draxinger <wdraxin...@xxxxxxxxxxxxxxxx>
wrote:

How can I do that, I mean: If a program requests to be bound to a
certain interface explicitly, then and only then it bound to
that interface. Otherwise it's just bound implicitly to the not
restricted interfaces.

Programs don't bind to interfaces. Your question doesn't make any
sense.

In the particular case it's a proxy server (the deamon is not
buggy, so explicit binding works, but I'd like to have some
fallback). Squid shall listen only to the internal network, so
it can't be abused from outside.

Programs don't listen to networks. Again, your question doesn't make
any sense.

But there's a also a OpenVPN
running for incomming connections, to enable a route to the
storage server which won't permit incomming connections from the
internet. And then the system shall be also ordinary router,
routing traffic into the subnet (which is a public IP address
space). I know, that using paravirtualization and some network
trickery would do the trick, but I'd like to do it on a single
logical host.

However I considered to use a small UML process, that would
contain the ppp0 device, so that this one has it's own router.

Can you state precisely what it is you are trying to do? What is the
rule for whether a connection should or should not be allowed to the
proxy?

I think what he's asking is how he can control on what addresses an app listener opens a socket. Most apps open sockets on 0.0.0.0 (i.e., every interface) by default. Some let you specify listening addresses. He appears to want a way to designate some interfaces as "restricted" and others as "not restricted" so that apps open listeners on the "not restricted" interfaces by default, but can open listeners on the "restricted" interfaces if their configs specifically request it.

I doubt that what he wants is possible. It would take rethinking the call to open a socket at the API in order to apply to apps (e.g., ntpd) that don't let you specify listening on only some addresses. (I understand there have been flame wars over ntpd on this point. I only use it as an example, not as a spark for another war.)

You seem to be under the misconception that addresses belong to
interfaces. They don't under Linux, they belong to the machine as a
whole. When you bind to an address, you accept packets sent to that
address regardless of what interface they arrive on. Otherwise, it
would be impossible to set up a functional router.
.

Relevant Pages

  • Re: Maybe useful if you use a laptop for web dev...
    ... >>> I never could make DNS and Apache work if I had it setup to localhost. ... >>> machines on he network DNS queries failed. ... >> interfaces as they get addresses, and stop listening on interfaces as they ...
    (uk.comp.sys.mac)
  • Re: multihome box: why ssh over only one interface?
    ... Server listening on 0.0.0.0 port 22. ... I am puzzled why sshd doesn't see/show ... Now eth0 is the default gateway. ... able to use ssh on both external interfaces. ...
    (SSH)
  • Re: FC5: Apache issue? Or something else?
    ... Post your Apache configuration details, ... It's listening on all interfaces now, ... That's how I have my server set up anyway, and it's been that way for as long as I can remember. ...
    (Fedora)
  • Re: ifconfig changes ip address when process is listening on socket
    ... Normal sockets aren't associated with interfaces. ... that port with any destination IP address assigned to this machine. ... How then do get a socket to listen on a particular interface, ... I need different processes listening on the same port on the LAN and WAN ...
    (comp.unix.programmer)
  • Re: multihome box: why ssh over only one interface?
    ... Do you have sshd listening on the I.P. addresseof those interfaces ... but not eth3. ... I see the ssh packets coming in to eth3. ...
    (SSH)