Binding server ports to specific host IPs
[1/8] from: brian:hawley at: 9-Aug-2002 5:42
Help! My computer has several IP channels available to it: The ethernet card, localhost, and a couple VMware virtual networks. If I am setting up a server, how do I bind a listen port to just one or some of them, not all? I would like to set up local services that I would prefer not to be accessible to the outside world. I haven't found anything like this in the docs - they all seem to assume that all network channels are alike. For that matter, is there some way to set a net-mask or a list of IPs to limit who can connect to my service somewhere in the port settings, rather than manually checking every connection? I'm looking for speed and security here... I will ask feedback too. Unfortunately, the ability bind to only specific network channels (I forget the TCP/IP term) is a must for my project. If I can't, I must switch languages. That would be bad. Thanks for any assistance! Brian Hawley
[2/8] from: gscottjones:mchsi at: 9-Aug-2002 9:45
From: "Brian Hawley"
> My computer has several IP channels > available to it: The ethernet card,
<<quoted lines omitted: 21>>> can't, I must switch languages. That would > be bad.
Hi, Brian, I probably have more questions than answers, because I believe that the best answer will depend on certain information. The implied risk of which I suspect that you are concerned is the risk of external Internet access to your proposed REBOL server. You mention an ethernet card. Is your connection to the Internet through this card, or through a dial-up? If it is through the card then the card may hook directly to the Internet (thru DSL, cable, ISDN, etc) or to a "local" network that then accesses the Internet through a gateway machine (be it a computer or specialized router). Some gateway devices are merely pass-through routers that filter for an IP range. In such a setting each machine will be individually addressable by the Internet, which is a major risk. Some gateways, will reassign connections through a local IP system. There are circumstances where this local IP system may be addressable through the Internet. Most gateways that reassign IP's, will use one of the non-routeable IP address ranges for the local network. In theory, machines behind this system cannot be directly addressed by the Internet. Such address ranges include 192.168.x.x. Some gateways may or may not act like a firewall, meaning filtering incoming requests (and outgoing in some situations). Let's say that your machine is attached to the Internet through an ethernet card that is attached to a cable modem. Odds are that the IP assigned to your machine is directly addressable to the Internet (whether it is static or dynamcially assigned via a DHCP server). This will be a problem, especially if you have or have ever had the old-style Windows network installed (which was done by default until only recently. Note that even if you disabled all but the TCP/IP networking, the Windows network ports may still be listening. See grc.com for entertaining, if not hair raising reading on this topic. His site will also let you assess your Internet vulnerability, so it is well worth the time.) You may only have two real options to obtain a truly Internet-isolated internal network: get a firewall/router/dhcp server like LinkSys EtherFast Cable/Dsl Router or get an old spare machine that attaches directly to the Internet, then attches to your development machine using the Internet share facility, which will set up a non-Internet-routable address for your machine. Internet accesses are passed through the connection, but your machine will not be directly addressable (again, warning regarding old Windows configs as outlined at grc.com). The third but less desirable option is hooking your REBOL server to the localhost address (127.0.0.1). Once your development machine is on a non-Internet-routable address, like the 192.168.x.x range, then you can hook your server to a port for listening, as seen at http://www.reboltech.com/library/html/rebserver.html You should be able to specify the actual IP that you wish to use on your machine, like: server-port: open/lines tcp://192.168.0.1:4321 If your machine is directly addressable to the Internet, but you have a fire wall installed, then in theory you only need to set the firewall to filter out any external access to the desired port. I'm no expert, but I personally would never risk this because firewalls can be especially exposed if running on the *same machine* as the desired port to be filtered. One of the LinkSys solutions is a very cheap, easy and efficient way of securing your accesses to the Internet, unless you happen to have an old machine and two more ethernet cards lying around and an OS that supports Internet sharing (most do, with varying degrees of trouble involved) (while Windows Internet share "works", configuration can sometimes be a nightmare). Hope this helps. If your circumstances lie outside of these parameters, then given a little more info, then someone will likely be able to pose a safe solution. the grc.com site is highly recommended as a way to check your connection. --Scott Jones
[3/8] from: petr:krenzelok:trz:cz at: 9-Aug-2002 17:18
-- Unable to decode HTML file!! --
[4/8] from: petr:krenzelok:trz:cz at: 9-Aug-2002 17:26
So once again, port: open tcp://:9005 probe get-modes port 'interfaces [ make object! [ name: "lo0" addr: 127.0.0.1 netmask: 255.0.0.0 broadcast: none dest-addr: none flags: [multicast loopback] ] make object! [ name: "if50331652" addr: 169.254.201.58 netmask: 255.255.0.0 broadcast: 169.254.255.255 dest-addr: none flags: [broadcast multicast] ] make object! [ name: "if33554435" addr: 192.168.120.254 netmask: 255.255.255.0 broadcast: 192.168.120.255 dest-addr: none flags: [broadcast multicast] ]] == [ make object! [ name: "lo0" addr: 127.0.0.1 netmask: 255.0.0.0 broadcast: none dest... Is that what you wanted? -pekr-
[5/8] from: brian:hawley at: 9-Aug-2002 18:41
At 09:45 AM 8/9/02 -0500, G. Scott Jones wrote:
>From: "Brian Hawley" > > My computer has several IP channels
<<quoted lines omitted: 9>>> > the docs - they all seem to assume that > > all network channels are alike.
>Hi, Brian, > >I probably have more questions than answers, because I believe that the best >answer will depend on certain information. > >The implied risk of which I suspect that you are concerned is the risk of >external Internet access to your proposed REBOL server.
[ Huge amounts of useful information snipped :) ] I thank you for all of this information, but I've already gone through these steps. I do know about networking, I just forget the jargon terms for things :)
>The third but less desirable option is hooking your REBOL server >to the localhost address (127.0.0.1).
Actually, that is exactly one of the things that I want to do.
>Once your development machine is on a non-Internet-routable address, like >the 192.168.x.x range, then you can hook your server to a port for
<<quoted lines omitted: 3>>>machine, like: >server-port: open/lines tcp://192.168.0.1:4321
You should, but what you have just done is open a client port. A server port is opened from specs like tcp://:4321 . You are not given the opportunity to specify which of your server IPs to bind to, or if you are I am asking would like to know how. Say I have a 2k machine, with one NIC, running VMware. I would then have 4 IPs for that machine, each on a different subnet. This info is typical for a computer behind a NAT firewall. localhost 127.0.0.1 255.0.0.0 (the NIC) 192.168.123.100 255.255.255.0 (VMware host-only net) 192.168.17.1 255.255.255.0 (VMware internal NAT) 192.168.119.1 255.255.255.0 I would like to use something like this: open/custom tcp://:4321 [ips [22.214.171.124 192.168.17.1]] or perhaps even use the names specified when you get-modes port 'interfaces It should be possible, but I don't know the exact syntax.
>If your machine is directly addressable to the Internet, but you have a fire >wall installed, then in theory you only need to set the firewall to filter >out any external access to the desired port.
Most internal firewall software restricts on a program basis, not per-script. If you enable a port for one REBOL script you have enabled it for all of them. This is not my problem, though. I just want to set up local servers to handle non-REBOL standard protocols for client programs written in other languages. Seems simple enough to me... At 05:26 PM 8/9/02 +0200, Petr Krenzelok wrote:
>So once again, > >port: open tcp://:9005 >probe get-modes port 'interfaces
>Is that what you wanted?
No. I found that in the docs. What I want is to bind listen ports to only a subset of the IPs available on my machine. Get access hasn't helped me much there, I'm afraid :( Any ideas? Brian Hawley
[6/8] from: gscottjones:mchsi at: 10-Aug-2002 6:04
From: Scott Jones
> >You should be able to specify the actual IP that you wish to use on your > >machine, like: > >server-port: open/lines tcp://192.168.0.1:4321 >
From: "Brian Hawley"
> You should, but what you have just done is open a client port. > A server port is opened from specs like tcp://:4321 . You are > not given the opportunity to specify which of your server IPs > to bind to, or if you are I am asking would like to know how.
Hi, Brian, I see what you are saying. My mistake. I don't know the answer either. Sorry. --Scott Jones
[7/8] from: gscottjones:mchsi at: 10-Aug-2002 10:53
Hi, Brian, From: "Brian Hawley"
> My computer has several IP channels available to it: The ethernet card, > localhost, and a couple VMware virtual networks. If I am setting up a
<<quoted lines omitted: 5>>> limit who can connect to my service somewhere in the port settings, rather > than manually checking every connection? I'm looking for speed and
I think I know one way to accomplish your task. This works on my home network. If the hypothetical tiny-server IP is 192.168.1.100, then the following sets up a "tiny server" that only answers if the connection-port comes from the IP indicated in the code below: server-port: open/lines tcp://:4321 forever [ connection-port: first server-port until [ wait connection-port either find [192.168.1.100] connection-port/host [ error? try [do first connection-port] ][ probe reduce join "intrusion from " connection-port/host ] ] close connection-port ] close server-port I can connect and use from the machine on IP 192.168.1.100 using: server: open/lines tcp://192.168.1.100:4321 until [error? try [insert server ask "R> "]] ;close server But from my wife's machine on 192.168.1.101 or by localhost, I the server only reports an intrusion attempt. More accepted IP's can be added to the block: ... either find [192.168.1.100 192.168.1.101] connection-port/host [ ... ***** Warning: This code has not been thoroughly tested and is likely to ruin your computer, your business and your life. I suspect that even a 2 month old infant hacker could easily circumvent this server. It is meant to be a comical satire of a real computer ip filter and is meant for pleasure reading only at a distance no closer than 4000 meters from any computer. ***** Hope that this is more useful than my last posts. --Scott Jones
[8/8] from: greggirwin:mindspring at: 10-Aug-2002 12:20
Hi Brian, I don't have an answer either, but maybe Maarten Koopmans does. I haven't seen him around in a while, but maybe he knows from his work developing Rugby. --Gregg
- Quoted lines have been omitted from some messages.
View the message alone to see the lines that have been omitted