Re: listen on specific network interfaces

[Gary E. Miller]

Yo Tor!

On Thu, 16 Apr 2020 13:39:37 +0200
Tor Rune Skoglund <address@hidden> wrote:

> Den 16.04.2020 13:30, skrev Mike Simpson:
> > If you___re using containers then you have way more fundamental
> > network security problems than gpsd listening on all or loopback.  
> 
> That is certainly true. The gpsd thing is just one minor issue,
> however, it is still something we want to resolve. At present, gpsd
> is the only daemon we have that to not offer specifying which IPs to
> listen to, so we might offer a patch anyway. Whether it is taken or
> not, is not up to us.

A patch will get looked at.  Submit it as a Merge Request.  This has
been a common request.

First you need to decide what the patch should do.  This started off
as limiting gpsd to particular interfaces, now it is limiting gpsd to
particular IPs.  Which is it?

This is a very slippery slope.  Just look at all the Apache and
Sendmail access control options.

Also, have you considered how this interacts with DHCP?  Or when gpsd
starts while the network is down?  Many traps for the unwary.

> There are also other issues with some setups not relating to security 
> when listening to INADDR_ANY, like making that port unavailable
> inside the container. Also a reason why we want to see a fix.

Port 2947 is reserved for gpsd.  No other service should use that port.

All this work to avoid a one line firewall rule???

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
        address@hidden  Tel:+1 541 382 8588

            Veritas liberabit vos. -- Quid est veritas?
    "If you can't measure it, you can't improve it." - Lord Kelvin

pgp5XRdsSY5fj.pgp
Description: OpenPGP digital signature