Hi John, On Sat, May 13, 2006 at 01:08:28PM -0500, John Goerzen wrote: > To actually have the daemons bind to a specific interface would require > some new configuration file options. I would be happy to forward this > to upstream if you would like, [...]
Please do. That's definately an option I'd like to see in Bacula (or any other networked daemon for that matter). > That said, Bacula is built with tcpwrappers (libwrap) support. While > not exactly the same, do you think that libwrap may be an acceptable > solution for this? Sure, it's better than nothing. Not exposing the daemon at all vs. exposing it but trying to secure it, is still better though. That said, a small snippet or example or HOWTO in README.Debian saying a) that Bacula is built with libwrap support (I wouldn't have guessed so) and b) a quick HOWTO/example for securing it by e.g. restricting access to localhost, would be nice (see below). > There is an open bug (#360530) calling for documentation of the proper > hosts.allow/deny configuration for Bacula already. I hope to get that > documentation written soon. That's great! > As far as what the defaults should be out of the box, I'm not really > certain. Precedent among other packages is not entirely clear. > Databases these days default to localhost only, while most other > networkable services default to allowing network connections. Not too many, as far as I can see. All of the daemons on my laptop (e.g. spamassassin, privoxy, postfix, apache, ...) only listen to localhost. But honestly, I'm not sure that's what they do by default, maybe I just configured them to do so ;-) Uwe. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org
signature.asc
Description: Digital signature
