From: "Brian Hawley" > My computer has several IP channels > available to it: The ethernet card, > localhost, and a couple VMware virtual > networks. If I am setting up a > server, how do I bind a listen port to just > one or some of them, not all? > I would like to set up local services that > I would prefer not to be > accessible to the outside world. I haven't > found anything like this in > the docs - they all seem to assume that > all network channels are alike. > > For that matter, is there some way to set > a net-mask or a list of IPs to > limit who can connect to my service > somewhere in the port settings, rather > than manually checking every connection? > I'm looking for speed and security > here... > > I will ask feedback too. Unfortunately, the > ability bind to only specific > network channels (I forget the TCP/IP term) > is a must for my project. If I > can't, I must switch languages. That would > be bad.
Hi, Brian, I probably have more questions than answers, because I believe that the best answer will depend on certain information. The implied risk of which I suspect that you are concerned is the risk of external Internet access to your proposed REBOL server. You mention an ethernet card. Is your connection to the Internet through this card, or through a dial-up? If it is through the card then the card may hook directly to the Internet (thru DSL, cable, ISDN, etc) or to a "local" network that then accesses the Internet through a gateway machine (be it a computer or specialized router). Some gateway devices are merely pass-through routers that filter for an IP range. In such a setting each machine will be individually addressable by the Internet, which is a major risk. Some gateways, will reassign connections through a local IP system. There are circumstances where this local IP system may be addressable through the Internet. Most gateways that reassign IP's, will use one of the non-routeable IP address ranges for the local network. In theory, machines "behind" this system cannot be directly addressed by the Internet. Such address ranges include 192.168.x.x. Some gateways may or may not act like a firewall, meaning filtering incoming requests (and outgoing in some situations). Let's say that your machine is attached to the Internet through an ethernet card that is attached to a cable modem. Odds are that the IP assigned to your machine is directly addressable to the Internet (whether it is static or dynamcially assigned via a DHCP server). This will be a problem, especially if you have or have ever had the old-style Windows network installed (which was done by default until only recently. Note that even if you disabled all but the TCP/IP networking, the Windows network ports may still be listening. See grc.com for entertaining, if not hair raising reading on this topic. His site will also let you assess your Internet vulnerability, so it is well worth the time.) You may only have two real options to obtain a truly Internet-isolated internal network: get a firewall/router/dhcp server like LinkSys EtherFast Cable/Dsl Router or get an old spare machine that attaches directly to the Internet, then attches to your development machine using the Internet share facility, which will set up a non-Internet-routable address for your machine. Internet accesses are passed through the connection, but your machine will not be directly addressable (again, warning regarding old Windows configs as outlined at grc.com). The third but less desirable option is hooking your REBOL server to the localhost address (127.0.0.1). Once your development machine is on a non-Internet-routable address, like the 192.168.x.x range, then you can hook your server to a port for listening, as seen at http://www.reboltech.com/library/html/rebserver.html You should be able to specify the actual IP that you wish to use on your machine, like: server-port: open/lines tcp://192.168.0.1:4321 If your machine is directly addressable to the Internet, but you have a fire wall installed, then in theory you only need to set the firewall to filter out any external access to the desired port. I'm no expert, but I personally would never risk this because firewalls can be especially exposed if running on the *same machine* as the desired port to be filtered. One of the LinkSys solutions is a very cheap, easy and efficient way of securing your accesses to the Internet, unless you happen to have an old machine and two more ethernet cards lying around and an OS that supports Internet sharing (most do, with varying degrees of trouble involved) (while Windows Internet share "works", configuration can sometimes be a nightmare). Hope this helps. If your circumstances lie outside of these parameters, then given a little more info, then someone will likely be able to pose a safe solution. the grc.com site is highly recommended as a way to check your connection. --Scott Jones -- To unsubscribe from this list, please send an email to [EMAIL PROTECTED] with "unsubscribe" in the subject, without the quotes.
