megafilter icon indicating copy to clipboard operation
megafilter copied to clipboard

Published 20 hours ago verified publisher icon naggie

Listening on 0.0.0.0

Open kseistrup opened this issue 10 years ago • 3 comments

Megafilter seems to listen on 0.0.0.0, i.e., on all [IPv4] interfaces. And while there's a --port switch there's no --host swicth, meaning that megafilter will be available for anyone who happens to pass by the chosen port.

In my opinion megafilter ought to listen on localhost only (preferrably both 127.0.0.1 and ::1), and only attempt other interfaces if stated expicitly on the commandline.

Cheers.

kseistrup avatar Jul 14 '13 11:07 kseistrup

An option to restrict which interfaces it listens to would be nice (so you can run other services on that port on different interfaces), but I don't think listening on localhost ONLY should be the default behaviour.

In my opinion, it should listen on all IPv4 interfaces by default, with the option to restrict it to certain interfaces via a --host switch or some other option, as this is the default (and expected) behaviour in most other software packages such as apache2, bind9 etc.

frillip avatar Jul 14 '13 12:07 frillip

There is an important distinction to be made between the software you mention and then megafilter: the latter is apparently meant to be run in userspace. I'd say it's better practice to have a user application run on localhost, so that the app doesn't unintendedly expose its interface to the whole world (potential security and privacy breach).

And even so: If you install something like Debian Linux, you'll find that most — if not all — system daemons are listening on localhost only.

In my opinion the safer options (e.g., local install, localhost, …) should be the default over less safe options (global install requiring root, wan interface, …). In that way less competent people don't idadvertently expose themselves to the entire world, while people who know what they're doing can easily make things available for the entire world.

kseistrup avatar Jul 14 '13 12:07 kseistrup

I have added a --host option.

I am more concerned with getting to a running state as fast as possible. --host 0.0.0.0 might be another barrier. Either that, or if you're willing to update README.md in a fork to document 127.0.0.1 as the default, explaining why and also showing how to tunnel via ssh (as I don't think running on the local machine makes sense) and also listen on 0.0.0.0 I'd be willing to merge in a PR with the default IP changed to 127.0.0.1 in config.js.

Thanks for the feedback, both.

naggie avatar Jul 14 '13 17:07 naggie