ip acls

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

ip acls

Postby msw » Wed Jan 14, 2004 3:40 pm

hello.

i have set up an acl for a specific server application. the goal was, that the server program can only bind to one specific ip. the setting with "bind [ip]" worked well. the bind()-call failed on other ips than the specified one. but when binding to 0.0.0.0 the ip acl seems to be bypassed. even with "bind disabled" in the configuration file, the server is able to open and listen on a port on all ips of the machine. is there a way to prevent this and force the program to bind only to the specific ip?

thank you.
msw
 
Posts: 8
Joined: Sat Sep 20, 2003 9:36 pm

Postby weeny » Thu Jan 15, 2004 8:04 am

i am still not too experienced with gr but maybe this helps:

0.0.0.0 allows all ip's including the loopback interface 127.0.0.1

for example when i tried to set up an acl for squid like

<server-ip>:3128

squid failed because for some reason the squid needed also 127.0.0.1. so i added that too and after that the bind looked like

<server-ip>:3128
127.0.0.1:3128

Maybe youre server application needs both the ip of youre interface card plus lo0?

Another question: Did you compile the gr with custom, hi, med ?? maybe the acl support for ip is not in your kernel... I did not test what happens when ip acl's are not enabled int the kernel but specified in the acl.

regards,

weeny
weeny
 
Posts: 11
Joined: Fri Nov 21, 2003 4:26 am

Postby msw » Fri Jan 16, 2004 4:24 pm

ok. i think i've found out the problem.
i didn't look into netstat very well.
the server i tested with was creating a socket that listens on all interfaces using the tcp6 protocol. It seems that when doing this the socket is bound to both ipv4 and ipv6 interfaces and can bypass the ip acls in this way.

is there some work-around for that without disabling ipv6?

thank you for your help
msw
 
Posts: 8
Joined: Sat Sep 20, 2003 9:36 pm


Return to grsecurity support