Open a port for local access only

  • Thread starter Thread starter Gunnar Liljas
  • Start date Start date
G

Gunnar Liljas

Hi!

I want to create an application with a small embedded web server, to
serve web pages (HTML, perhaps even using ASP.NET). Creating the server
part itself is not a problem (System.Web.Hosting + sockets etc), but...

1. The server should only be available for localhost. No external access
of any kind should be allowed.
2. Being a "local access only" server I would like to avoid any
involvement of firewalls, e.g the internal firewall in XP. Users may
find the firewall prompting alarming/irritating and sometimes, if
they're non-administrators, they will not even have access to the XP
firewall. Even more importantly, they may choose the unblock options
(Unblock) when they, in fact, should not unblock the app.

Issue 1 can be solved in code, just by checking the origin of the
requests, but issue 2 is more difficult, especially if we take
non-administrators into consideration.

So, is there some kind of "local access only" socket that can be created
for this kind of use? I can't see any security problems with such a
solution..

Best regards
Gunnar

PS. I just tried DWebPro, a small web server for CD deployment. Trying
out the demo, I couldn't get it to trigger the firewall in any way, even
when I started changing the port used. This seems to suggest there is
some kind of solution to the problem, but maybe it's ugly? DS
 
Gunnar Liljas said:
Hi!

I want to create an application with a small embedded web server, to serve
web pages (HTML, perhaps even using ASP.NET). Creating the server part
itself is not a problem (System.Web.Hosting + sockets etc), but...

1. The server should only be available for localhost. No external access
of any kind should be allowed.
2. Being a "local access only" server I would like to avoid any
involvement of firewalls, e.g the internal firewall in XP. Users may find
the firewall prompting alarming/irritating and sometimes, if they're
non-administrators, they will not even have access to the XP firewall.
Even more importantly, they may choose the unblock options (Unblock) when
they, in fact, should not unblock the app.

Issue 1 can be solved in code, just by checking the origin of the
requests, but issue 2 is more difficult, especially if we take
non-administrators into consideration.

So, is there some kind of "local access only" socket that can be created
for this kind of use? I can't see any security problems with such a
solution..
Click to expand...
....

If your socket listens only on 127.0.0.1 address, not IPAddress.Any
(0.0.0.0), only connections from localhost should be accepted. As for the
firewall, I'm not sure there is much you can do. Firewalls dig deep into the
OS and if they want to block (and are configured to do so), will block.

Regards,
Goran
 
Goran said:
If your socket listens only on 127.0.0.1 address, not IPAddress.Any
(0.0.0.0), only connections from localhost should be accepted. As for
the firewall, I'm not sure there is much you can do. Firewalls dig deep
into the OS and if they want to block (and are configured to do so),
will block.
Click to expand...
Yes, but since communication from 127.0.0.1 to 127.0.0.1 goes through
the loopback interface and not through any network adapter (VPN or NIC)
I was hoping that any firewalling would be circumvented. In fact, your
solution so far seems to remedy the problem. Can't understand how I
missed that. The word "Any" should have stared me in the face! :)

Thanks!

/G
 
Back
Top