[vdr] [Patch] Allow to limit SVDRP port to given IP

Klaus Schmidinger Klaus.Schmidinger at tvdr.de
Fri Jan 8 18:41:59 CET 2010


On 08.01.2010 16:56, Manuel Reimer wrote:
> -------- Original-Nachricht --------
>> Datum: Fri, 08 Jan 2010 14:57:12 +0100
>> Von: Klaus Schmidinger <Klaus.Schmidinger at tvdr.de>
>> An: VDR Mailing List <vdr at linuxtv.org>
>> Betreff: Re: [vdr] [Patch] Allow to limit SVDRP port to given IP
> 
>> What about svdrphosts.conf?
> 
> It just denies someone to access. The port is still available, accessible and in worst case also attackable. IIRC it is even required to accept the connection at first, to find out the IP of the computer, which tries to access and then to drop the connection in a second step. IMHO the better way, from the security standpoint, is to get the port closed, so a potential attacker isn't able to get to it at all. Most other daemons, which open ports, allow such configuration, like cups, apache and others.
> 
> svdrphosts.conf, of course, still is needed for fine-configuration of allowed hosts (other daemons also have this), but limiting the port to localhost would be the better alternative to just disabling svdrp by setting the port to zero, as currently recommended in the INSTALL file. If someone wants to configure his system to have a minimum of ports opened to the outside world (like me), then *disabling* svdrp is never a good solution, as this breaks scripts and other external features.
> 
> The only thing, I'm unsure about, is, if we really need to specify an IP. A simple switch like "--svdrp-localhost" (or similar) would also do the job. But my first solution has the advantage, that there is no additional switch needed.

How about this: if svdrphosts.conf contains only one single IP number, then
open the port for only that IP number. Otherwise i needs to be opened generally,
anyway.

BTW: please don't CC: me - I am subscribed to the list ;-)

Klaus



More information about the vdr mailing list