FreeBSD Port: poppassd-4.0_2

Jeremy Chadwick freebsd at
Fri May 12 23:16:49 UTC 2006

On Fri, May 12, 2006 at 11:49:15PM +0100, Andrew wrote:
> On 12/05/2006, at 9:51 PM, Sean Murphy wrote:
> >is there anyway to restrict this daemon to listen only on 
> >local host?
> poppassd is called by inetd so thats where you need to look. The 
> easiest method would probably be to use tcp wrappers. See the inetd man 
> page for details but basically run inetd with -w and edit 
> /etc/hosts.allow.

tcpwrappers should not be relied upon in any way shape or form for
security.  Application-level IP checking should only be used as a
last resort.  Why?  Because for tcpwrappers to work, the client has
to already have an established TCP or UDP socket.  By then it's too
late -- the socket has already been established, which means the
attacker, at a bare minimum, knows what service(s) you're running on
your machine.  Not good.  :-)

If poppassd can't run as a daemon and bind to a specific interface or
IP itself (and must run under inetd), then I'd recommend replacing
inetd on your systems with xinetd -- which does offer per-service
per-interface binding (inetd offers interface binding via the -a flag,
but for all services).

Simple security rule: do not bind to an interface or IP which you do
not want to receive (insert-service-here) packets via.

| Jeremy Chadwick                                 jdc at |
| Parodius Networking               |
| UNIX Systems Administrator                   Mountain View, CA, USA |
| Making life hard for others since 1977.                             |

More information about the freebsd-ports mailing list