in reply to Discriminating between local and remote IP's

avitar, the address space of 192.168.0.0/16 is considered reserved address space, as well as 172.16.0.0/12 and 10.0.0.0/8 by the IANA, according to this intarweb page. Addresses that are inside this range, can be considered private, and you could reduce the need to cumbersome log in computation.

The Net-CIDR module has functions that can check an IP address to see if it belongs to an address range, so use the remote host environmental variable with this function.

amt.

perlcheat
  • Comment on Re: Discriminating between local and remote IP's

Replies are listed 'Best First'.
Re^2: Discriminating between local and remote IP's
by Avitar (Acolyte) on Oct 04, 2004 at 19:26 UTC
    That was only an exaple range. I realize that they are supposidly private ranges, however they will sometimes resolve, or are spoofed.

    For instance I run a trace route on 10.0.0.1 and i get something such as:


    1 15 ms 15 ms 15 ms 66.13.200.101
    2 15 ms 16 ms 15 ms 4.24.46.181
    3 15 ms 15 ms 16 ms 10.0.0.1

    Athough these are trusted servers for the most part, I do not want to give IANA any escalated privledges. Pranoid? maybe... but better safe than sorry.

    For this reason I wanted to have the server check to see if the request was received via the local area NIC or the NIC with the internet connection.
    avitar.net
[reply]
      I would never trust any IP address in the private ranges. You might have someone elses network

      You are assuming that the server has two NICs, one on a private LAN, and another on the Internet connections. This is a rare configuration. Also, it is fairly hard to determine which interface the connection came from. You can look at the incoming IP address. It isn't that reliable for scurity.

      It is better to look at the remote IP address. This can be spoofed and isn't very good security. But if you are looking at the IP address for trust, you aren't interested in good security.

[reply]
        While it is true that using IP addresses for trust is not good security, it is easy to find out on which IP a connection came in. 
        getsockname SOCKET

    Returns the packed sockaddr address of this end
of the SOCKET connection, in case you don't know the
address because you have several different IPs that
the connection might have come in on.

        [download]
        HTH, --traveler
[reply]
[d/l]
      The situation I am picturing is an internet sharing situation where you have machines on a wire to the machine with two NICs. One NIC is for the ether, and the other is for the internet. Using Net::CIDR and to test if it is contained on one of these networks should still work. When you are tracerouting to 10.0.0.1, you could be going out of the Internet NIC, as the lowest eth* will be chosen if not specified, so keep that in consideration.
      If the situation is what i think it is, then those machine have one NIC and are on an internal network, that the box in question is directly connected to, so they have no choice but to be on the same network.
      amt.

      perlcheat
[reply]
      For this reason I wanted to have the server check to see if the request was received via the local area NIC or the NIC with the internet connection.

      Can't be done using perl. The best you can do is look at the IPs.

      I suggest creating a whitelist of all the "trusted" IPs as a bunch of CIDR blocks (using Net::CIDR as someone else suggested), then checking connections against that.

[reply]

In Section Seekers of Perl Wisdom