On Jul 31, 9:13am, "Sean Fuller" wrote:
} Subject: Re: How secure is xinetd's binding to specific interfaces
} On Jul 30, 6:37pm, <firewalls-owner @
GreatCircle .
COM> wrote:
}
} getsockname! Thanks so much for pointing out this wonderful routine.
} I don't know why I never saw it before. I guess I learned firewall
} programming from the TIS Firewall Toolkit and I never saw this routine
} used to detect the incoming interface.
Except that with most network stacks you can't count on this to detect
the interface that the packet was received on. If interface A receives
a packet with the destination address that matches interface B,
getsockname() will report interface B's address. With most networking
stacks, this will happen even if IP forwarding is turned off. If the
routing table on the host shows that the route to packet's source address
should use interface A (or if there is a source route), I bet it's still
possible to set up a TCP connection even without IP forwarding, but in
this case (lacking the source route) your getpeername() check should be
effective.
--- Truck
|
|
