No, you just have to tell named to only bind to one interface.
No kernel hacking required.
IF I have le0 10.1.1.1 and le1 10.2.1.1, bind()'ing to port 53 with
10.1.1.1 does not bind() to 10.2.1.1.
As I mentioned in mail elsewhere about this, named will bind to *all*
combinations of valid port references for your machine. This means it
will bind to
* 127.0.0.1, port 53 (lo0)
* 0.0.0.0, port 53
* 10.1.1.1, port 53 (le0)
and
* 10.2.1.1, port 53 (le1)
without any kernel hacks. Most programs will just bind to
"0.0.0.0.port" when they create a socket so that they don't need to
worry about which interface things are on.
Yes and no. You're quite right that one can bind to a specific port
without any kernel surgery. But a packet arriving on interface 10.1.1.1
can still reach a socket bound to 10.2.1.1, which is often undesirable
from a security perspective. This is fixable, too, but only in the kernel.
I sketched out a design for doing this a few years ago; if you're interested,
see ftp://ftp.research.att.com/dist/smb/sessext.ps.Z (thought it's only
a small part of a longer paper).
|
|
