<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body dir="ltr" bgcolor="#ffffff" text="#000000">
Shachar Shemesh wrote:
<blockquote cite="mid:4A4DD809.9010602@shemesh.biz" type="cite">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
Gilad Ben-Yossef wrote:
<blockquote cite="mid:4A4DC4FB.5070200@codefidence.com" type="cite">
<p style="margin-bottom: 0cm; margin-top: 0pt;">Hello List,</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;"><br>
</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;">A friend presented
me
with a difficult problem which I don't have a solution for and I
thought someone here on the list might have an idea.</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;"><br>
</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;">The problem is as
follows:</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;"><br>
</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;">You have an
application
running on a machine that has two network interfaces. One for
management and one for media.</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;"><br>
</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;">You have a network
server application (it's a SIP UA but that doesn't matter much) that is
bound to an IP on the media network interface. Because the media and
management networks might be completely different, you use the
BIND_TO_DEVICE socket option om the server sockets so that the kernel
will only route traffic for that socket via that device.</p>
</blockquote>
I haven't been able to find any documentation on the BIND_TO_DEVICE
socket option. Can you point to some, or at least give a code sample?<br>
<br>
Why not just use bind with an IP address? This way, communication from
localhost is still possible, provided you give the external IP address
rather than the internal one. Attached is a sample program.<br>
</blockquote>
I re-read the problem description, and the solution I suggested is
incomplete. To make it complete, you need to add an iptables INCOMING
chain saying "do not allow connection to IP:PORT unless from interface
eth1". This will provide the security aspect you desire, but because
it's in IPTABLES rules, it's flexible enough to accomodate the "allow
from here AND here, but not here.<br>
<br>
Shachar<br>
<br>
<pre class="moz-signature" cols="72">--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
<a class="moz-txt-link-freetext" href="http://www.lingnu.com">http://www.lingnu.com</a>
</pre>
</body>
</html>