Fwd: binding non local ip.

[joris dedieu]

Hi Julian and many thanks for your comments.

2011/1/11 Julian Elischer <julian at freebsd.org>:
> On 1/9/11 3:01 PM, joris dedieu wrote:
>>
>> ---------- Forwarded message ----------
>> From: joris dedieu<joris.dedieu at gmail.com>
>> Date: 2011/1/9
>> Subject: Re: binding non local ip.
>> To: Julian Elischer<julian at freebsd.org>
>>
>>
>> 2011/1/7 Julian Elischer<julian at freebsd.org>:
>>>
>>> On 1/7/11 4:57 AM, joris dedieu wrote:
>>>>
>>>> Hi,
>>>> I need a to bind non local ips  daemons that don't
>>>> implement IP_BINDANY sockopt.
>>>
>>> I'm not sure you need it
>>> you can use the ipfw 'fwd' command to make a locally bound
>>> socket act and look as if it is bound to a non local address
>>>
>>> You need to tell us a little more about what you need to do
>>>
>>> for example,
>>> Is the socket just listenning? or is it initiating?
>>
>> listenning I think.
>> Typicaly prepare a spare server.
>> eg:
>> - Failover as with carp but with more complexes actions has shutting
>> down the power of the main server, check data consistency, check if
>> the problem is not just a reboot or a buggy service that  need to be
>> restarted.
>
> A listenning server can be listenning on a local port and address.
> Use ipfw 'fwd' to force it to accept a non-local address socket.
> the local address of the listenning socket will be switched to that
> of the address on the session.
>
> e.g.
> ipfw add 100 fwd 127.0.0.1,80 tcp from any to 111.123.123.123 in recv em0
>
> your local server listenning on 127.0.0.1:80 will end up with a socket with
> a local
> address of 111.123.123.123  even if that is not any address of yours.
>
>> - Switch an ip from a main server to a already configured proxy (during a
>> dos)
>> - monitor that spare service is running.
>
> this is easy as shown above

As I said above there are several workarounds depending on the context.
I agree enabling ipfw is not the worst. In my thought, the goal of this patch
is just to offer a simple answer to a simple question.
How to bind a non local ip under FreeBSD ? For now the answer is implement it
with IP_BINDANY or do has if (with firewalling) or do it an other way.
I know it. I do it that way on my job every days.
I just think "turn on sysctl.XXX.YYY", is one of those little things you are
happy to find.

Best regards
Joris

>
>>>> There are several solutions as patching every single daemon
>>>> or using carp (You may not want automatic failover), jailing
>>>> the process and of course binding INADDR_ANY when possible ...
>>>>
>>>> As I'm too lazy for this, I wrote a little (maybe ugly as my
>>>> kernel knowledges are really low) patch that add a sysctl
>>>> entry in net.inet.ip that allow binding non local ips. It's
>>>> maybe buggy and insecure but it seems to work.
>>>
>>> seems ok, but if the daemon is initiating, how does it know to bind to a
>>> non
>>> local address?
>>
>> It doesn't know. That's the goal. So when the address became local
>> it's already ready. So you don't discover that it's misconfigured or
>> broken, or that else your dummy colleague has imagined :) . You or a
>> script ifconfig the alias and back to bed !
>>>
>>> also. if you have source, a single setsockopt() in each one is not much
>>> of a
>>> job..
>>
>> I already do this for haproxy and for apr. But (for haproxy) it seems
>> to be too specific to be integrated upstreams. For other services (as
>> tomcat) that don't know privileges dropping it's more problematic as
>> IP_BINDANY needs in most case root privileges.
>>
>> I think that a system wide solution should be a good thing.
>> Joris
>>>
>
>