0

For portability I work with a lot of software that hosts content on localhost, usually as HTTP/websocket servers.

My computer is connected to a LAN, so others can connect to it.

My question is, how can I be sure that my content is not public for all to see, but only local programs can access it?

I tried to do a bit of research but I am still confused. It seems hosting on 127.0.0.1 instead of 0.0.0.0 should be sufficient, or that it is possible to decide what hosts are allowed to connect when you open the socket, or that you need a full-fledged firewall (and then asking yourself what ports you want to block and deal with a lot of platform-dependent complexity), and I am not even sure where the Windows public/private network distinction stands on the issue. So I am amazed that I could not find a simple answer to such a simple question.

I am asking both for Windows and Linux hosts.

The software I am asking about consists mostly of "headless GUIs": python.http server, bokeh serve, Jupyter notebooks, Pluto.jl, node js express, etc...

And I would like to have the absolute certainty a local network peer cannot access my content even if they spoof their IP or something like that.

Improve this question

2 Answers 2

Reset to default
0

It seems hosting on 127.0.0.1 instead of 0.0.0.0 should be sufficient

Sockets bound to the local address 127.0.0.1 and ::1 are generally safe from other hosts, as the OS will (well, should) reject any spoofed packets sent to this address if they arrive over the network.

(However, they are not necessarily safe from websites that you visit. Neither the OS nor the firewall can really distinguish which "localhost" connections are made by which website. Instead, your web browser has to prevent random sites from accessing http://localhost through CORS checks.)

it is possible to decide what hosts are allowed to connect when you open the socket

Most socket APIs don't provide this feature. Though the netstat output for listening sockets may hint at this, it's not a thing in reality.

However, you will receive the client's address whenever you accept a connection, and you can just immediately close it at that point.

or that you need a full-fledged firewall (and then asking yourself what ports you want to block and deal with a lot of platform-dependent complexity)

The Windows firewall supports application-based rules.

and I am not even sure where the Windows public/private network distinction stands on the issue.

The distinction is simply between two "profiles" (rulesets) that you can switch between. Any rule can be marked as belonging to either or both of those profiles.

If you open wf.msc you'll see that some "Allow" rules are set to be active in Private profile but not Public (or possibly the other way around). That's the only real difference between the two.

So if you run http.server or any other app which tries to listen on all addresses the firewall asks you whether to allow it, but also lets you choose which of the two profiles to allow it in. (This just generates a rule which you can later edit through wf.msc.)

Improve this answer
0

In that case I would recommend to actually setup a firewall. That could be either a simple physical firewall infront of your PC (ie a DMZ lile architecture) or a software-based option. Since you mentionned Linux, you could simply use iptables to filter access to the INPUT chain based on source IP and interface.

Otherwise, you will need to configure the listening address for each of these services.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .