VNC on a dual homed NT Server

[Jeff Stearns]

Arnt -

It's easy to bind to a specific NIC on a box that supports BSD sockets.  I
don't have much NT programming experience, but I've been told that NT
supports an interface that's somewhat socket-like. So maybe NT is
sufficiently similar in this case.

Here's how you do it with sockets:

When a server starts up, it typically opens a socket, binds an IP address
and port number to the socket, and does a listen() to await incoming
connections.

Programmers typically bind a "wildcard" IP address to the socket. (The
C-language #define for that address is INADDR_ANY.) The wildcard address
tells the kernel to accept incoming connections on any interface from any
remote IP address. But there's no requirement to use the wildcard address.
Instead, you can bind a more restrictive IP address, such as the network
number of a specific interface. In that case, the socket will only accept
connections from the corresponding interface.

It's a very small change to the code.

I've glanced at the VNC server code (for UNIX) and noticed that it always
binds the wildcard address, so it always listens on all network interfaces.
I've thought about adding the few lines to allow me to pass a command-line
argument specifying that it should listen on only a selected interface.
That's an important security consideration on hosts with multiple
interfaces.

If a NIC's network number changes, the listen() should return an error; the
server have to deal with it by catching the error and re-binding using
updated values.  In practice, I suspect that DHCP renews address leases, so
that addresses don't change while a host is up; thus this is probably a
non-issue.

Jeff Stearns / jeff "at" 1fb.net / jeffstearns "at" home.com / 510-649-1816 / cell:
510-326-8557 

> - -----Original Message-----
> From: Arnt Witteveen [mailto:Arnt.Witteveen "at" vartec.be]
> Sent: 02 February 2000 11:24
> To: 'vnc-list "at" uk.research.att.com'
> Subject: RE: VNC on a dual homed NT Server
> 
> It doesn't run any different on an NT server. I've been looking for
> something like that for a long time. However, now that I think of it, you
> can get the same effect by limiting the IP adresses that are allowed to
> connect, although you could spoof past that, I guess. Still leaves it
> attached to the port however. Anyone know how hard it is (in code) to bind
> to a specific NIC only? Anyone know how to do it in general? I've had some
> socket programming experience, but don't remember anything about selecting
> which NIC/IP (what if a nic's ip changes (dhcp)) to listen() on...
> 
> Arnt


---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------