[erlang-questions] Restrict epmd to one IP address?

Per Hedeland <>
Wed Oct 31 13:42:26 CET 2007


"Erik A. Onnen" <> wrote:
>
> wrote:
>>>> Just searched a while for an option to bind epmd to a specific IP
>>> address. On my system it binds to all available IP addresses. Hmm, nothing so
>>> far. Do I really have to install a firewall because of epmd?
>>>> How do you deal with epmd? Any better options?
>> 
>> Good to know. But still, epmd listens on 0.0.0.0:4369. Any other suggestions?
>> 
>> Regards,
>> Eric
>
>Looking at source for R11B-5, epmd_int.h explicitly sets the address of 
>the socket struct to INADDR_ANY (or IN6ADDR_ANY_INI for ipv6). So you're 
>really at the mercy of the OS. Certain BSDs will choose the "default" 
>interface, Linux will choose all interfaces, can't speak for Windows or Mac.

Hm, INADDR_ANY really does instruct the stack to accept a connection to
*any* of the locally configured addresses, (maybe it should have been
called INADDR_ALL:-) - if it doesn't, it's a bug, I've never seen that
on any BSD (or anywhere else). Perhaps you were actually using a
firewall, or something like a FreeBSD "jail" as mentioned in another
post (a jail by design never has more than one IP address).

And btw, at least on the Unices I have used, binding to an IP address
does not bind to an interface - if you bind to an address configured on
eth0 and a connection to it happens to arrive on eth1, it will happily
be accepted anyway (thus, depending on network topology and perceived
threats, binding to a specific address may be a pretty weak protection
and no substitute for a firewall - which is not to imply that epmd needs
protecting:-).

--Per Hedeland




More information about the erlang-questions mailing list