[erlang-questions] Restrict epmd to one IP address?
Per Hedeland
per@REDACTED
Wed Oct 31 13:42:26 CET 2007
"Erik A. Onnen" <eonnen@REDACTED> wrote:
>
>nindeu@REDACTED wrote:
>>>> Just searched a while for an option to bind epmd to a specific IP
>>> address. On my system it binds to all available IP addresses. Hmm, nothing so
>>> far. Do I really have to install a firewall because of epmd?
>>>> How do you deal with epmd? Any better options?
>>
>> Good to know. But still, epmd listens on 0.0.0.0:4369. Any other suggestions?
>>
>> Regards,
>> Eric
>
>Looking at source for R11B-5, epmd_int.h explicitly sets the address of
>the socket struct to INADDR_ANY (or IN6ADDR_ANY_INI for ipv6). So you're
>really at the mercy of the OS. Certain BSDs will choose the "default"
>interface, Linux will choose all interfaces, can't speak for Windows or Mac.
Hm, INADDR_ANY really does instruct the stack to accept a connection to
*any* of the locally configured addresses, (maybe it should have been
called INADDR_ALL:-) - if it doesn't, it's a bug, I've never seen that
on any BSD (or anywhere else). Perhaps you were actually using a
firewall, or something like a FreeBSD "jail" as mentioned in another
post (a jail by design never has more than one IP address).
And btw, at least on the Unices I have used, binding to an IP address
does not bind to an interface - if you bind to an address configured on
eth0 and a connection to it happens to arrive on eth1, it will happily
be accepted anyway (thus, depending on network topology and perceived
threats, binding to a specific address may be a pretty weak protection
and no substitute for a firewall - which is not to imply that epmd needs
protecting:-).
--Per Hedeland
More information about the erlang-questions
mailing list