Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Re^2: Discriminating between local and remote IP's

by Avitar (Acolyte)
on Oct 04, 2004 at 19:26 UTC ( [id://396352] : note . print w/replies, xml ) Need Help??


in reply to Re: Discriminating between local and remote IP's
in thread Discriminating between local and remote IP's

That was only an exaple range. I realize that they are supposidly private ranges, however they will sometimes resolve, or are spoofed.

For instance I run a trace route on 10.0.0.1 and i get something such as:


1 15 ms 15 ms 15 ms 66.13.200.101
2 15 ms 16 ms 15 ms 4.24.46.181
3 15 ms 15 ms 16 ms 10.0.0.1


Athough these are trusted servers for the most part, I do not want to give IANA any escalated privledges. Pranoid? maybe... but better safe than sorry.

For this reason I wanted to have the server check to see if the request was received via the local area NIC or the NIC with the internet connection.
  • Comment on Re^2: Discriminating between local and remote IP's

Replies are listed 'Best First'.
Re^3: Discriminating between local and remote IP's
by iburrell (Chaplain) on Oct 04, 2004 at 19:54 UTC
    I would never trust any IP address in the private ranges. You might have someone elses network

    You are assuming that the server has two NICs, one on a private LAN, and another on the Internet connections. This is a rare configuration. Also, it is fairly hard to determine which interface the connection came from. You can look at the incoming IP address. It isn't that reliable for scurity.

    It is better to look at the remote IP address. This can be spoofed and isn't very good security. But if you are looking at the IP address for trust, you aren't interested in good security.

      While it is true that using IP addresses for trust is not good security, it is easy to find out on which IP a connection came in.
      getsockname SOCKET Returns the packed sockaddr address of this end of the SOCKET connection, in case you don't know the address because you have several different IPs that the connection might have come in on.
      HTH, --traveler
Re^3: Discriminating between local and remote IP's
by amt (Monk) on Oct 04, 2004 at 19:48 UTC
    The situation I am picturing is an internet sharing situation where you have machines on a wire to the machine with two NICs. One NIC is for the ether, and the other is for the internet. Using Net::CIDR and to test if it is contained on one of these networks should still work. When you are tracerouting to 10.0.0.1, you could be going out of the Internet NIC, as the lowest eth* will be chosen if not specified, so keep that in consideration.
    If the situation is what i think it is, then those machine have one NIC and are on an internal network, that the box in question is directly connected to, so they have no choice but to be on the same network.
    amt.

    perlcheat
Re^3: Discriminating between local and remote IP's
by DrHyde (Prior) on Oct 05, 2004 at 09:10 UTC
    For this reason I wanted to have the server check to see if the request was received via the local area NIC or the NIC with the internet connection.

    Can't be done using perl. The best you can do is look at the IPs.

    I suggest creating a whitelist of all the "trusted" IPs as a bunch of CIDR blocks (using Net::CIDR as someone else suggested), then checking connections against that.