[Nut-upsdev] [nut-Feature Requests][310492] Allow to specify hostnames in ACL (upsd.conf)
Carlos Rodrigues
carlos.efr at mail.telepac.pt
Sat Jan 19 22:21:20 UTC 2008
On Jan 19, 2008 9:20 PM, Arjen de Korte <nut+devel at de-korte.org> wrote:
> The principle 'flaw' in NUT server access control is that restricting
> access should be done *before* a connection is made, ie at the time a
> client initiates a connection (sends the SYN packet). The only way to
> reject/drop a connection at that time is through (kernel level) packet
> filtering. Therefor, the better way would be to both restrict the
> interfaces we're listening on (instead of the default global IPv4
> listening address now) and use kernel packet filtering to restrict access.
I guess, if the server is listening only on 127.0.0.1, then having r/o
access open by default isn't such a big deal.
BTW, isn't this the case already? If a client is allowed to connect by
an ACL, it already has r/o access... the only difference would be the
removal of the ACL system (which I don't know why it was implemented
in the first place, since all unixes have historically had some sort
of hosts.allow/deny mechanism, which does the same thing).
--
Carlos Rodrigues
More information about the Nut-upsdev
mailing list