On a dual-homed host, it would seem natural to segregate services
according to which interface packets arrived on. As near as I can
tell, the standard inetd and the services it spawns make no attempt to
bind to a particular interface (IP address): it would appear (I don't
have sources, so I am guessing) that inetd binds to INADDR_ANY, so it
receives packets from all interfaces.
If this is true, then on Solaris systems, a real opportunity to
partition internal networks is lost. Solaris permits logical
interfaces to be defined on a single physical interface. By defining
two such logical interfaces with different (sub-)nets, and turning off
IP forwarding, you can effectively place a firewall anywhere you want,
without any special hardware or software. If you could dictate which
services are available on which logical interface, the partitioning
could effectively use software like the TIS toolkit and introduce
substantial additional internal net security.
Unless I am missing something obvious, it seems like a modification
of TIS netacl program to explicitly bind to a specified IP address is
the easiest way to achieve this.
Comments?
------------------------------------------------------------------------
Jim Krupp Mentat Inc.
jak @
mentat .
com 1145 Gayley Ave, Suite 315
voice: (310)208-2650, ext 23 Los Angeles, CA 90024
fax: (310)208-3724 USA
------------------------------------------------------------------------
the easiest way to achieve this. Comments? Suggestions?
|
|
