[vdr] [Patch] Allow to limit SVDRP port to given IP

Manuel Reimer Manuel.Reimer at gmx.de
Fri Jan 8 16:56:08 CET 2010


-------- Original-Nachricht --------
> Datum: Fri, 08 Jan 2010 14:57:12 +0100
> Von: Klaus Schmidinger <Klaus.Schmidinger at tvdr.de>
> An: VDR Mailing List <vdr at linuxtv.org>
> Betreff: Re: [vdr] [Patch] Allow to limit SVDRP port to given IP

> What about svdrphosts.conf?

It just denies someone to access. The port is still available, accessible and in worst case also attackable. IIRC it is even required to accept the connection at first, to find out the IP of the computer, which tries to access and then to drop the connection in a second step. IMHO the better way, from the security standpoint, is to get the port closed, so a potential attacker isn't able to get to it at all. Most other daemons, which open ports, allow such configuration, like cups, apache and others.

svdrphosts.conf, of course, still is needed for fine-configuration of allowed hosts (other daemons also have this), but limiting the port to localhost would be the better alternative to just disabling svdrp by setting the port to zero, as currently recommended in the INSTALL file. If someone wants to configure his system to have a minimum of ports opened to the outside world (like me), then *disabling* svdrp is never a good solution, as this breaks scripts and other external features.

The only thing, I'm unsure about, is, if we really need to specify an IP. A simple switch like "--svdrp-localhost" (or similar) would also do the job. But my first solution has the advantage, that there is no additional switch needed.

Yours

Manuel
-- 
()  ascii ribbon campaign - against html mail
/\                        - gegen HTML-Mail
answers as html mail will be deleted automatically!
Antworten als HTML-Mail werden automatisch gelöscht!

GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01



More information about the vdr mailing list