Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!esmeralda.access.net.au!news.netspace.net.au!news.mira.net.au!inquo!news.uoregon.edu!hammer.uoregon.edu!newsgate.cuhk.edu.hk!news.hk.net!howland.erols.net!newsfeed.internetmci.com!inet-nntp-gw-1.us.oracle.com!nntp-hub.barrnet.net!parc!fenner From: fenner@parc.xerox.com (Bill Fenner) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Q. on socket() programming Date: 6 Nov 1996 20:08:10 GMT Organization: Xerox Palo Alto Research Center Lines: 24 Message-ID: <55qr7a$iut@news.parc.xerox.com> References: <846622354snz@beckley.demon.co.uk> NNTP-Posting-Host: crevenia.parc.xerox.com In article <846622354snz@beckley.demon.co.uk>, Ian W Taylor <iwta@beckley.demon.co.uk> wrote: >Can you restrict which clients a server process will >service using bind() ?. No. >If not is there a simple way of doing it other than >getting the clients IP addr from the accept() call >and then getting its name from gethostbyaddr(), and >if it is not acceptable just close()ing the socket. Well, you can't necessarily trust what you get from gethostbyaddr(); if an attacker controls his DNS then he can make gethostbyaddr() return whatever he wants. You should either: - Do controls by IP address only or - Only trust hostnames that you can gethostbyaddr() then gethostbyname() and the results match. But yes, the easiest way is to just check the address of the new peer that accept() gives you. Bill