Great Circle Associates Firewalls
(July 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: How secure is xinetd's binding to specific interfaces
From: Zachary Roger Amsden <amsden+ @ andrew . cmu . edu>
Date: Tue, 30 Jul 1996 17:52:31 -0400 (EDT)
To: gaarder @ actech . com, firewalls @ greatcircle . com
In-reply-to: <199607241245 . IAA12890 @ ovid . actech . com>
References: <199607241245 . IAA12890 @ ovid . actech . com> 
Well, I have looked a little at xinetd's code, but I think it's pretty
secure.  Basically, it probably does a getsockname() on incoming
connections to find out what interface they are coming in on.  It then
would compare the result to an IP address or interface name and make
sure they match.  I haven't looked in full at the code here, but I would
place high faith on this part because it is not that tricky to do.  What
I wouldn't place faith on is the kernel's IP forwarding mechanism.  On
many BSD based systems, it is possible to ping an inside interface from
the outside, even with IP forwarding turned off (so I have been told). 
I know for a fact that Linux-2.0 and higher (and probably earlier as
well) are not vulnerable to this.  This is easy to check - try to ping
your outside interface from the inside - if that works, your IP
forwarding is broken, and xinetd's interface binding is useless for you
purposes.

Zach Amsden
amsden @
 andrew .
 cmu .
 edu
Follow-Ups:
References:
Indexed By Date Previous: Re: Technical Dictionary
From: Nancye Harder <nharder @ dvc . edu>
Next: Re: So called ISDN secrets
From: Rahul Dhesi <dhesi @ rahul . net>
Indexed By Thread Previous: Re: How secure is xinetd's binding to specific interfaces
From: lists @ lina . inka . de (Bernd Eckenfels)
Next: Re: How secure is xinetd's binding to specific interfaces
From: lists @ lina . inka . de (Bernd Eckenfels)
Google
 
Search Internet Search www.greatcircle.com