[Xorp-users] open ports

Atanu Ghosh atanu@ICSI.Berkeley.EDU
Fri, 13 Aug 2004 13:18:11 -0700 

Another problem that has been reported is that if the interface that has
been choosen is taken down the the router stops working.

<http://www.xorp.org/bugzilla/show_bug.cgi?id=94>.

	Atanu.

>>>>> "Orion" == Orion Hodson <orion@icir.org> writes:

    Orion> On Aug 10, 2004, at 7:25 AM, Emmanuel Dreyfus wrote:

    >> Hi
    >> 
    >> I installed xorp-1.0 as an IPv4 PIM-SM router on NetBSD. It works fine,
    >> apart from the bug #99 (if build with IPv6 enabled, it won't work on
    >> an IPv6-unaware kernel, ignoring the configuration directivea that
    >> disable
    >> IPv6s).
    >> 
    >> Now I have one last concern: it opens a lot of TCP ports:
    >> $ netstat -na|grep LISTEN
    >> tcp        0      0  193.54.89.1.64040      *.*
    >> LISTEN
    >> tcp        0      0  193.54.89.1.64046      *.*
    >> LISTEN
    >> tcp        0      0  193.54.89.1.64052      *.*
    >> LISTEN
    >> tcp        0      0  193.54.89.1.64054      *.*
    >> LISTEN
    >> tcp        0      0  193.54.89.1.64060      *.*
    >> LISTEN
    >> tcp        0      0  193.54.89.1.64062      *.*
    >> LISTEN
    >> tcp        0      0  193.54.89.1.64066      *.*
    >> LISTEN
    >> tcp        0      0  *.12000                *.*
    >> LISTEN
    >> tcp        0      0  193.54.89.1.64071      *.*
    >> LISTEN
    >> tcp        0      0  193.54.89.1.64073      *.*
    >> LISTEN
    >> tcp        0      0  193.54.89.1.64076      *.*
    >> LISTEN
    >> tcp        0      0  193.54.89.1.64077      *.*
    >> LISTEN
    >> tcp        0      0  193.54.89.1.64079      *.*
    >> LISTEN
    >> tcp        0      0  127.0.0.1.19999        *.*
    >> LISTEN
    >> 
    >> I'm a bit paranoid on the security front, and I'm absolutely sure I
    >> want no remote control of xorp. How do I close these ports? Or at
    >> least,
    >> how do I bind them only to 127.0.0.1?

    Orion> The are ports used for IPC.  There's a co-ordinator process that
    Orion> advertises the ports to other xorp processes.  The default interface
    Orion> is chosen to be the first interface that matches some hardcoded
    Orion> criteria.  The accept() code for each of these sockets checks the
    Orion> incoming IP and shouldn't accept connections that are not from the
    Orion> same interface address (and maybe loopback, I don't recall).  However,
    Orion> loopback would be better from a DDOS perspective.

    Orion> The default IPC interface is accessed and modified through
    Orion> if_get_preferred and if_set_preferred (sockutil.{hh,cc}).  A revised
    Orion> version of the default interface picking code could check loopback
    Orion> first and use it if available and if not fall back to the current
    Orion> default value.

    Orion> In general, having an argument for all XORP processes at the
    Orion> command-line to set this address would probably be useful.  It's a bit
    Orion> of tedious chore, but going the extra mile and adding a common
    Orion> command-line parser with standard argument handling would fix this and
    Orion> would be a good idea anyway.

    Orion> Any takers?
    Orion> Orion



    Orion> _______________________________________________
    Orion> Xorp-users mailing list
    Orion> Xorp-users@xorp.org
    Orion> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/xorp-users