Date: Wed, 22 Apr 1998 20:47:34 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com> Cc: peter@netplex.com.au, cvs-committers@freebsd.org, cvs-all@freebsd.org, cvs-usrsbin@freebsd.org, soren@dt.dk Subject: Re: cvs commit: src/usr.sbin/syslogd syslogd.c Message-ID: <4371.893270854@critter.freebsd.dk> In-Reply-To: Your message of "Wed, 22 Apr 1998 11:10:19 PDT." <199804221810.LAA07748@GndRsh.aac.dev.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199804221810.LAA07748@GndRsh.aac.dev.com>, "Rodney W. Grimes" writes: >> >> Hmmmm, >> >> Now, I'm not too sure what people use SecureMode for, but it doesn't >> make sense to expect one host to accept remote logging from other >> hosts that don't, at least in my book... > >Your book may not involve a large AS of systems that remotely syslog to >a central syslog server. All ``syslog clients'' run in syslogd -s mode, >the ``syslog server'' runs in normal syslogd mode, but has ipfw setup >such that it only accepts syslog packets from a trusted list of clients. Well, for the ipfw to work, wouldn't the socket need to be bound to a well-known-port then ? That was the fact that made me conclude that you couldn't do the above scenario in the first place. I would think that all securemode should do would be to not include the fd in what select is watching, but the code before this change also diked out the bind, so you wouldn't know what port you would be sending syslog messages from, making ipfw unable to decide if the message came from syslogd or some random user... -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "Drink MONO-tonic, it goes down but it will NEVER come back up!"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4371.893270854>