Mailing list home
  Find posts   Help

Latest messageRecent messages

In this thread:
 First
 Prev
 Next
 See whole thread
By msg id:
 Prev: 9 Aug 2002 7:34
 Next: 9 Aug 2002 17:18

Other threads:
 Prev: file! and url!
 Next: imanXwin kludge

Same author:
 Prev: 9 Aug 2002 6:44
 Next: 10 Aug 2002 6:04

 Random message

Indexes:
 By topic
 By date
 By author
 By subject
Join the Mailing List....
AccessibilityAbout / FAQ
Member's loungeContact/FeedbackOther REBOL links
Membership:
member name

password

Remember?

Not a member? Please join
2-May 12:11 UTC
[0.065] 12.811k
Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

[REBOL] Re: Binding server ports to specific host IPs

From: gscottjones:mchsi at: 9-Aug-2002 9:45


From: "Brian Hawley"

> My computer has several IP channels
> available to it: The ethernet card,
> localhost, and a couple VMware virtual
> networks. If I am setting up a
> server, how do I bind a listen port to just
> one or some of them, not all?
> I would like to set up local services that
> I would prefer not to be
> accessible to the outside world. I haven't
> found anything like this in
> the docs - they all seem to assume that
> all network channels are alike.
>
> For that matter, is there some way to set
> a net-mask or a list of IPs to
> limit who can connect to my service
> somewhere in the port settings, rather
> than manually checking every connection?
> I'm looking for speed and security
> here...
>
> I will ask feedback too. Unfortunately, the
> ability bind to only specific
> network channels (I forget the TCP/IP term)
> is a must for my project. If I
> can't, I must switch languages. That would
> be bad.


Hi, Brian,

I probably have more questions than answers, because I believe that the best
answer will depend on certain information.

The implied risk of which I suspect that you are concerned is the risk of
external Internet access to your proposed REBOL server.  You mention an
ethernet card.  Is your connection to the Internet through this card, or
through a dial-up?  If it is through the card then the card may hook
directly to the Internet (thru DSL, cable, ISDN, etc) or to a "local"
network that then accesses the Internet through a gateway machine (be it a
computer or specialized router).  Some gateway devices are merely
pass-through routers that filter for an IP range.  In such a setting each
machine will be individually addressable by the Internet, which is a major
risk.  Some gateways, will reassign connections through a local IP system.
There are circumstances where this local IP system may be addressable
through the Internet.  Most gateways that reassign IP's, will use one of the
non-routeable IP address ranges for the local network.  In theory, machines
behind
 this system cannot be directly addressed by the Internet.  Such
address ranges include 192.168.x.x.  Some gateways may or may not act like a
firewall, meaning filtering incoming requests (and outgoing in some
situations).

Let's say that your machine is attached to the Internet through an ethernet
card that is attached to a cable modem.  Odds are that the IP assigned to
your machine is directly addressable to the Internet (whether it is static
or dynamcially assigned via a DHCP server).  This will be a problem,
especially if you have or have ever had the old-style Windows network
installed (which was done by default until only recently.  Note that even if
you disabled all but the TCP/IP networking, the Windows network ports may
still be listening.  See grc.com for entertaining, if not hair raising
reading on this topic.  His site will also let you assess your Internet
vulnerability, so it is well worth the time.)  You may only have two real
options to obtain a truly Internet-isolated internal network: get a
firewall/router/dhcp server like LinkSys EtherFast Cable/Dsl Router or get
an old spare machine that attaches directly to the Internet, then attches to
your development machine using the Internet share facility, which will set
up a non-Internet-routable address for your machine.  Internet accesses are
passed through the connection, but your machine will not be directly
addressable (again, warning regarding old Windows configs as outlined at
grc.com).  The third but less desirable option is hooking your REBOL server
to the localhost address (127.0.0.1).

Once your development machine is on a non-Internet-routable address, like
the 192.168.x.x range, then you can hook your server to a port for
listening, as seen at

http://www.reboltech.com/library/html/rebserver.html

You should be able to specify the actual IP that you wish to use on your
machine, like:
server-port: open/lines tcp://192.168.0.1:4321

If your machine is directly addressable to the Internet, but you have a fire
wall installed, then in theory you only need to set the firewall to filter
out any external access to the desired port.  I'm no expert, but I
personally would never risk this because firewalls can be especially exposed
if running on the *same machine* as the desired port to be filtered.  One of
the LinkSys solutions is  a very  cheap, easy and efficient way of securing
your accesses to the Internet, unless you happen to have an old machine and
two more ethernet cards lying around and an OS that supports Internet
sharing (most do, with varying degrees of trouble involved) (while Windows
Internet share "works", configuration can sometimes be a nightmare).

Hope this helps.  If your circumstances lie outside of these parameters,
then given a little more info, then someone will likely be able to pose a
safe solution.  the grc.com site is highly recommended as a way to check
your connection.
--Scott Jones

1 · [2] · 3 · 4 · 5 · 6 · 7 · 8 · See whole thread