• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: determining if connection is local
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: determining if connection is local

  • Subject: Re: determining if connection is local
  • From: Quinn <email@hidden>
  • Date: Thu, 25 Sep 2003 22:44:06 +0100
At 15:06 -0600 25/9/03, Chaz McGarvey wrote:
The reason I'm interesting in this is because I have a program which has its user interface and "get work done" interface separated by sockets because I also want to allow remote clients to connect and use a remote interface with the local "get work done" interface (and visa versa). I don't always want remote clients to connect to my local computer, but I always want my local user interface to be able to connect to my local "get work done" interface. So, yes, it's a matter of security. This is my first project that needs to be networked. I'm definitely new to security, so if what I'm trying to do doesn't sound secure or if you can tell I'm missing a networking concept, I'd like to know.

If you control the client, you should make sure that the client does not bind its socket (or binds it to INET_ANY) before connecting. That will guarantee that it gets bound to 127.0.0.1. Then all your server needs to do is check for that peer address.

You may also be able to bind your server to 127.0.0.1. My guess is that will force clients to connect to 127.0.0.1, and such connections can only originate from the local machine. I'm not sure if this works (and I don't have time to investigate right now), but it's worth looking at.

Finally, I'm kinda paranoid about network security so, if I was writing this, I would write the server as follows.

o Use a Unix domain socket for local communications. This guarantees that local requests are coming from the local machine.

o Use a TCP socket for network requests.

Thus, if the user has disabled remote access, you can disable the TCP listener and you're guaranteed to be safe. The only drawback is a little more complexity, but IMHO (and remember, I'm paranoid) it's worth the effort.

S+E
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Technical Support * Networking, Communications, Hardware
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.
  • Follow-Ups:
    • Re: determining if connection is local
      • From: Chaz McGarvey <email@hidden>
    • Re: determining if connection is local
      • From: Douglas Davidson <email@hidden>
References: 
 >Re: determining if connection is local (From: Chaz McGarvey <email@hidden>)

  • Prev by Date: Re: Apple-approved way to listen on well known ports?
  • Next by Date: Raw Socket Conflicts
  • Previous by thread: Re: determining if connection is local
  • Next by thread: Re: determining if connection is local
  • Index(es):
    • Date
    • Thread