[Nut-upsdev] [nut-Feature Requests][310492] Allow to specify hostnames in ACL (upsd.conf)

Arjen de Korte nut+devel at de-korte.org
Mon Jan 7 15:15:11 UTC 2008


> Feature Requests item #310492, was opened at 07/01/2008 09:57
> Status: Open
> Priority: 3
> Submitted By: Arnaud Quette (aquette)
> Assigned to: Nobody (None)
> Summary: Allow to specify hostnames in ACL (upsd.conf)
> Category: None
> Group: None
>
>
> Initial Comment:
> allow a new ACL form:
> ACL hostname/mask
>
> example:
> ACL localhost localhost/32
> or
> ACL localhost localhost/255.255.255.255
>
> This is obviously reserved to names that can be resolved (so host only?)
>
>
> ----------------------------------------------------------------------
>
> You can respond by visiting:
> http://alioth.debian.org/tracker/?func=detail&atid=411545&aid=310492&group_id=30602

The question here is, do we still need ACL's?

In the current implementation, we have done much of the grunt work of
processing incoming TCP connection, before the ACL's are being processed.
When it comes to prevent abuse of the NUT server, they won't protect
against a DOS attack. Since nut-2.0.5 (if memory serves), NUT allows
control on which adress we *listen* at through the LISTEN directive in
'upsd.conf'. On a multihomed server, one can configure to listen only on
the internal interfaces for instance, without risking exposure to the
outside world.

For more fine grained (source adress) access control, you'd need a
firewall anyway (see above). In most (if not all) installations, packet
filtering (through iptables for instance) will be installed by default,
which can do a far more efficient job in filtering out unwanted
connections than we ever can through the ACL's. If a firewall is used, the
administrator will have to poke a hole in it anyway, to allow incoming
connections in.

Bottomline is, that I think the ACL's are obsolete and can better be
replaced by kernel packet filtering rules and/or the LISTEN directive.
This will surely reduce the burden of setting up the 'upsd' server,
without sacrifying security (adding additional DNS queries for incoming
connection will only amplify the effectiveness of DOS attacks, so that is
another reason why this feature request is not a good idea).

Therefor, I would like to suggest to remove the ACL code from the server
and change the default LISTEN address (if one is not provided in
'upsd.conf') to 127.0.0.1 (IPv4) and/or ::1 (IPv6). This (together with a
few lines in the UPGRADING file) should be secure enough by default. We
should probably make this part of nut-2.4.0, to make sure that people are
not caught off-guard by this change.

Best regards, Arjen
-- 
Eindhoven - The Netherlands
Key fingerprint - 66 4E 03 2C 9D B5 CB 9B  7A FE 7E C1 EE 88 BC 57




More information about the Nut-upsdev mailing list