Binding server ports to specific host IPs
[1/8] from: brian:hawley at: 9-Aug-2002 5:42
Help!
My computer has several IP channels available to it: The ethernet card,
localhost, and a couple VMware virtual networks. If I am setting up a
server, how do I bind a listen port to just one or some of them, not all?
I would like to set up local services that I would prefer not to be
accessible to the outside world. I haven't found anything like this in
the docs - they all seem to assume that all network channels are alike.
For that matter, is there some way to set a net-mask or a list of IPs to
limit who can connect to my service somewhere in the port settings, rather
than manually checking every connection? I'm looking for speed and security
here...
I will ask feedback too. Unfortunately, the ability bind to only specific
network channels (I forget the TCP/IP term) is a must for my project. If I
can't, I must switch languages. That would be bad.
Thanks for any assistance!
Brian Hawley
[2/8] from: gscottjones:mchsi at: 9-Aug-2002 9:45
From: "Brian Hawley"
> My computer has several IP channels
> available to it: The ethernet card,
<<quoted lines omitted: 21>>
> can't, I must switch languages. That would
> be bad.
Hi, Brian,
I probably have more questions than answers, because I believe that the best
answer will depend on certain information.
The implied risk of which I suspect that you are concerned is the risk of
external Internet access to your proposed REBOL server. You mention an
ethernet card. Is your connection to the Internet through this card, or
through a dial-up? If it is through the card then the card may hook
directly to the Internet (thru DSL, cable, ISDN, etc) or to a "local"
network that then accesses the Internet through a gateway machine (be it a
computer or specialized router). Some gateway devices are merely
pass-through routers that filter for an IP range. In such a setting each
machine will be individually addressable by the Internet, which is a major
risk. Some gateways, will reassign connections through a local IP system.
There are circumstances where this local IP system may be addressable
through the Internet. Most gateways that reassign IP's, will use one of the
non-routeable IP address ranges for the local network. In theory, machines
behind
this system cannot be directly addressed by the Internet. Such
address ranges include 192.168.x.x. Some gateways may or may not act like a
firewall, meaning filtering incoming requests (and outgoing in some
situations).
Let's say that your machine is attached to the Internet through an ethernet
card that is attached to a cable modem. Odds are that the IP assigned to
your machine is directly addressable to the Internet (whether it is static
or dynamcially assigned via a DHCP server). This will be a problem,
especially if you have or have ever had the old-style Windows network
installed (which was done by default until only recently. Note that even if
you disabled all but the TCP/IP networking, the Windows network ports may
still be listening. See grc.com for entertaining, if not hair raising
reading on this topic. His site will also let you assess your Internet
vulnerability, so it is well worth the time.) You may only have two real
options to obtain a truly Internet-isolated internal network: get a
firewall/router/dhcp server like LinkSys EtherFast Cable/Dsl Router or get
an old spare machine that attaches directly to the Internet, then attches to
your development machine using the Internet share facility, which will set
up a non-Internet-routable address for your machine. Internet accesses are
passed through the connection, but your machine will not be directly
addressable (again, warning regarding old Windows configs as outlined at
grc.com). The third but less desirable option is hooking your REBOL server
to the localhost address (127.0.0.1).
Once your development machine is on a non-Internet-routable address, like
the 192.168.x.x range, then you can hook your server to a port for
listening, as seen at
http://www.reboltech.com/library/html/rebserver.html
You should be able to specify the actual IP that you wish to use on your
machine, like:
server-port: open/lines tcp://192.168.0.1:4321
If your machine is directly addressable to the Internet, but you have a fire
wall installed, then in theory you only need to set the firewall to filter
out any external access to the desired port. I'm no expert, but I
personally would never risk this because firewalls can be especially exposed
if running on the *same machine* as the desired port to be filtered. One of
the LinkSys solutions is a very cheap, easy and efficient way of securing
your accesses to the Internet, unless you happen to have an old machine and
two more ethernet cards lying around and an OS that supports Internet
sharing (most do, with varying degrees of trouble involved) (while Windows
Internet share "works", configuration can sometimes be a nightmare).
Hope this helps. If your circumstances lie outside of these parameters,
then given a little more info, then someone will likely be able to pose a
safe solution. the grc.com site is highly recommended as a way to check
your connection.
--Scott Jones
[3/8] from: petr:krenzelok:trz:cz at: 9-Aug-2002 17:18
-- Unable to decode HTML file!! --
[4/8] from: petr:krenzelok:trz:cz at: 9-Aug-2002 17:26
So once again,
port: open tcp://:9005
probe get-modes port 'interfaces
[
make object! [
name: "lo0"
addr: 127.0.0.1
netmask: 255.0.0.0
broadcast: none
dest-addr: none
flags: [multicast loopback]
]
make object! [
name: "if50331652"
addr: 169.254.201.58
netmask: 255.255.0.0
broadcast: 169.254.255.255
dest-addr: none
flags: [broadcast multicast]
]
make object! [
name: "if33554435"
addr: 192.168.120.254
netmask: 255.255.255.0
broadcast: 192.168.120.255
dest-addr: none
flags: [broadcast multicast]
]]
== [
make object! [
name: "lo0"
addr: 127.0.0.1
netmask: 255.0.0.0
broadcast: none
dest...
Is that what you wanted?
-pekr-
[5/8] from: brian:hawley at: 9-Aug-2002 18:41
At 09:45 AM 8/9/02 -0500, G. Scott Jones wrote:
>From: "Brian Hawley"
> > My computer has several IP channels
<<quoted lines omitted: 9>>
> > the docs - they all seem to assume that
> > all network channels are alike.
...
>Hi, Brian,
>
>I probably have more questions than answers, because I believe that the best
>answer will depend on certain information.
>
>The implied risk of which I suspect that you are concerned is the risk of
>external Internet access to your proposed REBOL server.
[ Huge amounts of useful information snipped :) ]
I thank you for all of this information, but I've already gone
through these steps. I do know about networking, I just forget
the jargon terms for things :)
>The third but less desirable option is hooking your REBOL server
>to the localhost address (127.0.0.1).
Actually, that is exactly one of the things that I want to do.
>Once your development machine is on a non-Internet-routable address, like
>the 192.168.x.x range, then you can hook your server to a port for
<<quoted lines omitted: 3>>
>machine, like:
>server-port: open/lines tcp://192.168.0.1:4321
You should, but what you have just done is open a client port.
A server port is opened from specs like tcp://:4321 . You are
not given the opportunity to specify which of your server IPs
to bind to, or if you are I am asking would like to know how.
Say I have a 2k machine, with one NIC, running VMware. I would
then have 4 IPs for that machine, each on a different subnet.
This info is typical for a computer behind a NAT firewall.
localhost 127.0.0.1 255.0.0.0
(the NIC) 192.168.123.100 255.255.255.0
(VMware host-only net) 192.168.17.1 255.255.255.0
(VMware internal NAT) 192.168.119.1 255.255.255.0
I would like to use something like this:
open/custom tcp://:4321 [ips [128.0.0.1 192.168.17.1]]
or perhaps even use the names specified when you
get-modes port 'interfaces
It should be possible, but I don't know the exact syntax.
>If your machine is directly addressable to the Internet, but you have a fire
>wall installed, then in theory you only need to set the firewall to filter
>out any external access to the desired port.
Most internal firewall software restricts on a program
basis, not per-script. If you enable a port for one REBOL
script you have enabled it for all of them. This is not
my problem, though.
I just want to set up local servers to handle non-REBOL
standard protocols for client programs written in other
languages. Seems simple enough to me...
At 05:26 PM 8/9/02 +0200, Petr Krenzelok wrote:
>So once again,
>
>port: open tcp://:9005
>probe get-modes port 'interfaces
...
>Is that what you wanted?
No. I found that in the docs. What I want is to bind listen
ports to only a subset of the IPs available on my machine.
Get
access hasn't helped me much there, I'm afraid :(
Any ideas?
Brian Hawley
[6/8] from: gscottjones:mchsi at: 10-Aug-2002 6:04
<snip>
From: Scott Jones
> >You should be able to specify the actual IP that you wish to use on your
> >machine, like:
> >server-port: open/lines tcp://192.168.0.1:4321
>
From: "Brian Hawley"
> You should, but what you have just done is open a client port.
> A server port is opened from specs like tcp://:4321 . You are
> not given the opportunity to specify which of your server IPs
> to bind to, or if you are I am asking would like to know how.
Hi, Brian,
I see what you are saying. My mistake. I don't know the answer either.
Sorry.
--Scott Jones
[7/8] from: gscottjones:mchsi at: 10-Aug-2002 10:53
Hi, Brian,
From: "Brian Hawley"
> My computer has several IP channels available to it: The ethernet card,
> localhost, and a couple VMware virtual networks. If I am setting up a
<<quoted lines omitted: 5>>
> limit who can connect to my service somewhere in the port settings, rather
> than manually checking every connection? I'm looking for speed and
security
> here...
I think I know one way to accomplish your task. This works on my home
network.
If the hypothetical tiny-server IP is 192.168.1.100, then the following sets
up a "tiny server" that only answers if the connection-port comes from the
IP indicated in the code below:
server-port: open/lines tcp://:4321
forever [
connection-port: first server-port
until [
wait connection-port
either find [192.168.1.100] connection-port/host [
error? try [do first connection-port]
][
probe reduce join "intrusion from " connection-port/host
]
]
close connection-port
]
close server-port
I can connect and use from the machine on IP 192.168.1.100 using:
server: open/lines tcp://192.168.1.100:4321
until [error? try [insert server ask "R> "]]
;close server
But from my wife's machine on 192.168.1.101 or by localhost, I the server
only reports an intrusion attempt. More accepted IP's can be added to the
block:
...
either find [192.168.1.100 192.168.1.101] connection-port/host [
...
*****
Warning: This code has not been thoroughly tested and is likely to ruin your
computer, your business and your life. I suspect that even a 2 month old
infant hacker could easily circumvent this server. It is meant to be a
comical satire of a real computer ip filter and is meant for pleasure
reading only at a distance no closer than 4000 meters from any computer.
*****
Hope that this is more useful than my last posts.
--Scott Jones
[8/8] from: greggirwin:mindspring at: 10-Aug-2002 12:20
Hi Brian,
I don't have an answer either, but maybe Maarten Koopmans does. I haven't
seen him around in a while, but maybe he knows from his work developing
Rugby.
--Gregg
Notes
- Quoted lines have been omitted from some messages.
View the message alone to see the lines that have been omitted