Jump to content

[10412][config] Add a warning about BindIP


Guest freghar

Recommended Posts

> What bug does the patch fix? What features does the patch add?

It tries to make poor souls stay away from a config option they have no idea about.

> For which repository revision was the patch created?

36249a0372 - [10410]

> Is there a thread in the bug report section or at lighthouse? If yes, please add a link to the thread.

>

> Who has been writing this patch? Please include either forum user names or email addresses.

The patch was created by git from changes written by vim. I just made up the words.

There are quite a lot of threads / confusion about this option. Most people simply don't realize it's ONLY for local-address binding - some try to put their external (router-assigned) addresses, some try 127.0.0.1 and then wonder why noone else can connect, some others do even more crazy things.

The only real purpose of this option is to allow multiple realm/world processes to be run and bound to different addresses on one machine. It can't even be used instead of a proper firewall - you can still send packets to a server bound to localhost address.

Oh, and, I'm not sure if mangos uses SO_REUSEADDR, if not, I'd strongly recommend using it, it will prevent "address/port already in use" when no realmd/worldd instance is running.

diff --git a/src/mangosd/mangosd.conf.dist.in b/src/mangosd/mangosd.conf.dist.in
index cfd767a..e07e778 100644
--- a/src/mangosd/mangosd.conf.dist.in
+++ b/src/mangosd/mangosd.conf.dist.in
@@ -45,6 +45,7 @@ ConfVersion=2010062001
#
#    BindIP
#        Bind World Server to IP/hostname
+#        DO NOT CHANGE THIS UNLESS YOU _REALLY_ KNOW WHAT YOU'RE DOING
#
###################################################################################################################

Link to comment
Share on other sites

It can't even be used instead of a proper firewall - you can still send packets to a server bound to localhost address

I'm American, primary language English, and I cannot understand this sentance. I think this description needs adjusting before being pushed.

The only real purpose of this option is to allow multiple realm/world processes to be run and bound to different addresses on one machine.

This makes sense and should not be changed

Link to comment
Share on other sites

Yes, some explanations are always welcome.

Can i suggest this description (very simplified)?

------------------------------------------------

The only real purpose of this option is to specify a particular network address where an application server can work.

For example:

- "0.0.0.0" refers to all network (default for most servers).

- "87.93.0.0" refers only to network area "87.93.0.0".

------------------------------------------------

Link to comment
Share on other sites

- "0.0.0.0" refers to all network.

- "87.93.0.0" refers only to network area "87.93.0.0".

I think the 0.0.0.0 should state

"0.0.0.0" refers to all network addresses available to the host system

Maybe a note about using ifconfig/ipconfig to see available interface addresses

The "87.93.0.0" should not be listed at all. That is a public IP range which would imply that interface is publicly WAN accessible (which is not supported by the MaNGOS community). And also means that you would already have some advanced network experience in order to know how to assign your modem's WAN IP internally to your server's NIC

loopback should be listed, so localhost only developers/users know how to set the BindIP to loopback instead of a network accessible address

"127.0.0.1" refers to the host system's loopback device, only accessible by the host system itself (no other network clients may connect to this)

Maybe add some examples of private IP usage 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, 192.168.0.0 – 192.168.255.255

192.168.x.x range is typical in many other server software documentation examples

"192.168.1.x" refers to an addresses assigned to the host system on the 192.168.1.0 network

Again probably add a note about ifconfig/ipconfig to know which addresses are assigned to the host system's interfaces

Link to comment
Share on other sites

@Schmoozerd, You are correct. The information in the config files should be short and simple, My overly informative post was in reply to Nephyr's post about adding in the interface address example text.

However my orignal post still stands about what freghar & Valdimir posted

It can't even be used instead of a proper firewall - you can still send packets to a server bound to localhost address.

This seems confusing, and I know it is because of a language barrier and something is being lost in translation. If I could understand what this sentace really means I would provide an alternate for it

My only opinion about changing the example/help text in the config files is that it needs to follow proper grammer and spelling for the language it is being written in

EDIT: Just looked at the commit by freghar, looks good and makes sense. no complaints from me

Link to comment
Share on other sites

- "0.0.0.0" refers to all network (default for most servers).

- "87.93.0.0" refers only to network area "87.93.0.0".

That's exactly my point - you have no idea what it really does, right? :)

Because you can't "bind" to an address you don't explicitly own. Not without using kernel and userspace hooks (see TPROXY iptables target for example). Therefore you can't "bind" to a subnet like 87.93.0.0/16.

I think the 0.0.0.0 should state

"0.0.0.0" refers to all network addresses available to the host system

Actually, 0.0.0.0 is a special case, the socket struct gets filled with INADDR_ANY and sent to kernelspace. Any other value needs to be a real address assigned to one of machine's interfaces, adding something like "192.168.x.y" to the help text would only cause more confusion.

The "87.93.0.0" should not be listed at all. That is a public IP range which would imply that interface is publicly WAN accessible (which is not supported by the MaNGOS community). And also means that you would already have some advanced network experience in order to know how to assign your modem's WAN IP internally to your server's NIC

There's nothing wrong using so-called "public" IP addresses, if you want to keep your server private, simply use firewall.

Also the "advanced network experience" is called "routing" and there's (IMHO) nothing advanced about it, though it's not something a common Joe can do without google.

loopback should be listed, so localhost only developers/users know how to set the BindIP to loopback instead of a network accessible address

"127.0.0.1" refers to the host system's loopback device, only accessible by the host system itself (no other network clients may connect to this)

You can of course use loopback, but it has the same effect (for most users) as using 0.0.0.0. Again - to block people from the outside world, you need to use a firewall.

Again probably add a note about ifconfig/ipconfig to know which addresses are assigned to the host system's interfaces

The shortened version makes it clear - this option is only useful when running two or more worldd or realmd instances. If an admin finds himself in such a situation, he should start googling on "bind IP".

Link to comment
Share on other sites

It can't even be used instead of a proper firewall - you can still send packets to a server bound to localhost address.

The IP address binding was introduced a looong time ago. It allows you to run multiple independent processes on different IP addresses. Imagine a machine A having two IP addresses - IP1, IP2. You can "bind", say, an Apache (http) server to IP1, TCP port 80 and - at the same time - "bind" a VNC server to IP2, TCP port 80. This scenario is only possible without using INADDR_ANY (0.0.0.0).

As for the second part;

Historically, a machine accepts all traffic with destination IP address assigned to one if it's interfaces as it's own. There's no such thing as "interface IF1 with IP1" , "interface IF2 with IP2". Whenever a network packet comes to IF2 with destination address IP1, the machine accepts it. Therefore you need _something_ to prevent the machine from accepting (spoofed) packets with destination IP 127.0.0.1 sent by other computers on your network. That "something" is a network filter, usually called a "firewall".

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Privacy Policy Terms of Use