Hi On Sat, Dec 08, 2001 at 07:40:06PM +1000, [EMAIL PROTECTED] wrote: [snip] > So, what I can figure out is that it seems that I have only > the following daemons listening: postfix, sshd, cupsd, > XF86_SVGA, portmap. > > I have only deliberately decided to run postfix, sshd and > cupsd. Everything in /etc/inetd.conf is hashed out. In fact > I renamed the file so that it is not accessed at all.
Commenting everything out should be sufficient. > The only ones I didn't know about in this list are portmap and > XF86_SVGA. Firstly, I can't seem to find the config file for > X where you set the --nolisten parameter - but I have not > unset this at any stage and I thought Debian did this by Make sure your /etc/X11/xinit/xserverrc contains something like this: #!/bin/sh exec /usr/bin/X11/X -dpi 100 -nolisten tcp > default. Secondly, I guess everyone needs portmap it seems, > so I can't turn this off or some things won't work. Someone > please educate me here. No. You do not need portmap unless you're using NFS or something like that. (i.e. SUN RPC services.) portmap is started by /etc/init.d/portmap when your machine boots. Disable it. (Why was portmap part of net-base to begin with?) It you're using testing/unstable, portmap is in it's own package (called portmap) and you should be able to uninstall it. > So my question is: > Is there some way to make certain daemons, (say postfix) > listen only on some interfaces? For example, I have > everything firewalled from outside, so I really only need > postfix to listen on the loopback interface for local > connections. Is this possible? It's technically possible, but this depends on if the particular daemon has support for this. Postfix does. Just put a line like this in main.conf: inet_interfaces = localhost > Then netstat -ln might show something like: > tcp 0 0 0.0.0.0:25 127.0.0.1:* LISTEN [snip] Well, not quite :) Here's what it looks like: Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN I have no idea if cups supports binding to a particular interface, but the documentation should tell you. If you can't figure out how to do it or it's not possible without modifying the source, you should use ipchains/iptables to restrict access to the port it uses. I hope this helps. -- Michael Wood <[EMAIL PROTECTED]>
