*BSD News Article 82440


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!esmeralda.access.net.au!news.netspace.net.au!news.mira.net.au!inquo!news.uoregon.edu!hammer.uoregon.edu!newsgate.cuhk.edu.hk!news.hk.net!howland.erols.net!newsfeed.internetmci.com!inet-nntp-gw-1.us.oracle.com!nntp-hub.barrnet.net!parc!fenner
From: fenner@parc.xerox.com (Bill Fenner)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Q. on socket() programming
Date: 6 Nov 1996 20:08:10 GMT
Organization: Xerox Palo Alto Research Center
Lines: 24
Message-ID: <55qr7a$iut@news.parc.xerox.com>
References: <846622354snz@beckley.demon.co.uk>
NNTP-Posting-Host: crevenia.parc.xerox.com

In article <846622354snz@beckley.demon.co.uk>,
Ian W Taylor  <iwta@beckley.demon.co.uk> wrote:
>Can you restrict which clients a server process will
>service using bind() ?.

No.

>If not is there a simple way of doing it other than
>getting the clients IP addr from the accept() call
>and then getting its name from gethostbyaddr(), and
>if it is not acceptable just close()ing the socket.

Well, you can't necessarily trust what you get from gethostbyaddr(); if
an attacker controls his DNS then he can make gethostbyaddr() return whatever
he wants.  You should either:
- Do controls by IP address only
or
- Only trust hostnames that you can gethostbyaddr() then gethostbyname() and
the results match.

But yes, the easiest way is to just check the address of the new peer
that accept() gives you.

  Bill