Running Network Services on Multi-homed servers =============================================== Shanker Balan http://shankerbalan.com/ Changelog: - Tue Aug 26 12:30:46 IST 2003 * First cut Certain situations requires that network services running on a multi homed host do not bind to all available interfaces. This is typically required when running virtual hosts under the FreeBSD jail(8) environment and when doing firewall configurations. Below are changes which had to be done to make applications bind to specific IP addresses. They are not exhaustive and include only services which I personally had to reconfigure. The primary IP of my server is 192.168.1.24, services have been configured to bind to this address only. Some of the configuration info are FreeBSD (5.x) -CURRENT specific. Will make them more genric as time permits. Syslog -- log systems messages ============================== ### ### rc.conf ### syslogd_flags="-ss" # Syslogd flags to not bind an inet socket OpenSSH ======= [shanu] ~> ssh -V OpenSSH_3.6.1p1 FreeBSD-20030423, SSH protocols 1.5/2.0, OpenSSL 0x0090701f ### ### /etc/ssh/sshd_config ### # Specifies the local addresses sshd should listen on ListenAddress 192.168.1.24 ### ### /etc/ssh/ssh_config ### # Specify the interface to transmit from on machines with multiple interfaces # or aliased addresses. BindAddress 192.168.1.24 Inetd -- internet ``super-server'' ================================== ### ### /etc/rc.conf ### # -a Specify one specific IP address to bind to inetd_flags="-wW -a 192.168.1.24" Rpcbind: Universal addresses to RPC program number mapper ========================================================== ### ### /etc/rc.conf ### # -h Specify specific IP addresses to bind to for UDP requests. rpcbind_flags="-h 192.168.1.24" NOTE: The -h option did nothing for me, portmapper continues to run on all available addresses. YMMV! Samba -- Server to provide SMB/CIFS services to clients ===== ### ### smb.conf ### # This global parameter allows the Samba admin to limit what interfaces # on a machine will serve SMB requests. bind interfaces only = yes # This option allows you to override the default network inter- faces list # that Samba will use for browsing, name registration and other NBT traffic interfaces = 192.168.1.24/24 Apache2 -- Apache Hypertext Transfer Protocol Server ==================================================== ### ### httpd.conf ### # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) Listen 192.168.1.24:80 ### ### ssl.conf ### Listen 192.168.1.24:443 Postfix - A secure alternative to widely-used Sendmail ====================================================== ### ### main.cf ### # The inet_interfaces parameter specifies the network interface # addresses that this mail system receives mail on. By default, # the software claims all active interfaces on the machine. inet_interfaces = $myhostname, localhost Bind - Internet domain name server (DNS) ======================================== ### ### named.conf ### options { listen-on { 127.0.0.1; 192.168.1.24; }; } Courier-IMAP -- IMAP (and POP3) server that provides access to Maildir mailboxes ================================================================================ ### ### imapd ### # Address to listen on, can be set to a single IP address. ADDRESS=192.168.1.24 CUPS -- The Common UNIX Printing System ======================================= ### ### cupsd.conf ### # Ports/addresses that we listen to. Listen 192.168.1.24:631 Squid -- The successful WWW proxy cache and accelerator ======================================================= # The socket addresses where Squid will listen for HTTP client requests. http_port 192.168.1.24:3128 icp_port 192.168.1.24:3130 MySQL -- Multithreaded SQL database =================================== ### ### rc.d/mysql-server.sh ### case "$1" in start) if [ -x /usr/local/bin/mysqld_safe ]; then /usr/bin/limits -U mysql \ /usr/local/bin/mysqld_safe --user=mysql --datadir=${DB_D IR} --pid-file=${PIDFILE} --bind-address=192.168.1.24 > /dev/null & echo -n ' mysqld' fi ;; This is not very portable, will have to RTFM and figure out how to use "--bind-address=192.168.1.24" within the MySQL conf file. URLs: FreeBSD Jails: http://www.onlamp.com/lpt/a/4139 ToDo: - SNMP - Rpcbind fixums - Samba fixums - SNMP - NTP