Re: listen on specific network interfaces

[Tor Rune Skoglund]

    Den 16.04.2020 13:30, skrev Mike Simpson:

If you’re using containers then you have way more fundamental network security problems than gpsd listening on all or loopback.

That is certainly true. The gpsd thing is just one minor issue, however, it is still something we want to resolve. At present, gpsd is the only daemon we have that to not offer specifying which IPs to listen to, so we might offer a patch anyway. Whether it is taken or not, is not up to us.

There are also other issues with some setups not relating to security when listening to INADDR_ANY, like making that port unavailable inside the container. Also a reason why we want to see a fix.

BR,

Tor Rune Skoglund

On 16 Apr 2020, at 07:28, Tor Rune Skoglund <address@hidden> wrote:

Hi Gary,

Den 15.04.2020 23:54, skrev Gary E. Miller:

On Wed, 15 Apr 2020 09:15:13 +0200
Steffen Sledz <address@hidden> wrote:

According to the manpage the -G flag enables listening on all
addresses (INADDR_ANY) rather than just the loop back
(INADDR_LOOPBACK) address.

Yup.

This is unfortunately a little too unspecific for us.

Could be.

Is it possible to specify specific interfaces to listen on?

Possible, if you want to send patches to put a bunch of firewall code
into gpsd.  Other daemons have done that, but it is never good enough.

You already have a fantastic fancy firewall on your host.  Well
documented, well debugged, the best of the best checking it for bugs and
holes.  And backed up by tools such as fail2ban for defense in depth.

This is UNIX: do one thing do it well.  gpsd does GNSS well.  Leave
the firewall stuff to the firewall people.

I see your point, Gary, but there are situations where firewall/iptables settings do not necessarily easily apply, like when using various types of container solution with shared networking and such. Therefore, the option to specify specific ip addresses or interfaces til listen on would be good to have.

BR,

Tor Rune Skoglund