[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Listening on specific interfaces

From: Mark Burgess
Subject: Re: Listening on specific interfaces
Date: Wed, 27 Aug 2003 17:18:03 +0200 (MEST)

>>Servers generally bind to whih means, I'm accepting traffic
> from >anyone in principle.
> This is untrue, and I'd actually argue the opposite. Not being
> judgmental, but this may be the source of your confusion. I
> specifically bind both tomcat and apache to specific address for load
> balancing. It simplifies load balancing configuration, moving and
> expanding sites, configuration management...etc.
> If the need for this is still not clear, please read up on why any
> server binds to an IP address. The security implications are paramount
> and this generally accepted security practice is something cfengine
> could use.

Ok there are 2 things and then I'm finished with the discussion:

1. You are right about the binding address. It is the IP address
   of an interface that bind connects to, not a client address.
   So indeed it is possible to bind to *either*

    a) only one interface with a specific IP address
    b) a wildcard address (INADDR_ANY)

   I was wrong about this and have learned something new.

2. Until I started writing this messgae I could not think of
a single useful application for this, but there is in fact one:
key exchange. It might make trusted key exchange with the server
less vulnerable to spoofing time windows, under very special

So it's only a 99.5% Red Herring


PS - please don't explain to me otherwise. Let's just implement
it and be done with. It is a trivial modification.

Work: +47 22453272            Email:  address@hidden
Fax : +47 22453205            WWW  :

reply via email to

[Prev in Thread] Current Thread [Next in Thread]