Source IP address for proxy requests
Phil Mayers
p.mayers at imperial.ac.uk
Tue Sep 26 20:50:51 CEST 2006
Nicolas Baradakis wrote:
>> Yes you are correct. Abviously I didn't read the thread in enough
>> depth. It does bring up the issue that we maybe should have an optional
>> proxy_source_ip config option..
All IP protocol servers should offer each type of socket a configurable
bind address (or list of such). That is quite aside from the specifics
of this issue - that is, it solves other, much much harder to solve
problems than just this issue, and is required for absolutely
deterministic behaviour.
>
> I don't think it's a good idea, because all the realm servers may not be
> on the same network. IMHO FreeRADIUS doesn't have to cope with the network
> configuration of the host: it only has to set the destination IP, and the
> rest is handled by the kernel.
>
This is not a convincing argument to my ear.
There are legitimate reasons to want to bind to a *specific* IP for
sockets sinking and sourcing datagrams (and in fact for stream
protocols, though these tend to be less of an issue). Bind, a venerable
(if crufty) and EXTREMELY widely deployed datagram protocol
client/server, has found this out repeatedly (see transfer-source,
query-source, notify-source - those options weren't added for giggles).
I'm currently running into a problem with ISC dhcpd related to it's
failure to offer IP-specific bind options and offering service to
overlapping address space on a single server, which is impossible for
the want of this micro-option.
More information about the Freeradius-Users
mailing list