commit b77ec5cb5b3ed400b44302bdbd76e2275d819da3
Author: James Polley <email address hidden>
Date: Sun Dec 7 17:29:54 2014 +0100
System dnsmasq daemon should only listen on lo
Neutron runs dnsmasq. That's all nice and good.
But just having dnsmasq installed means that the system runs a different
dnsmasq, which by default listens (and response) on all interfaces.
For machines that are accessible on the public internet, this means they
can be used in dns-amplification DOS attacks. This tends to make
security and network people sad.
This patch drops some config for the system dnsmasq which tell it to
only listen on 127.0.0.1.
If the deployer needs dnsmasq listening on other interfaces, another
file dropped in /etc/dnsmasq.d can be used to specifiy additional
interfaces or IP addreses.
Reviewed: https:/ /review. openstack. org/139865 /git.openstack. org/cgit/ openstack/ tripleo- image-elements/ commit/ ?id=b77ec5cb5b3 ed400b44302bdbd 76e2275d819da3
Committed: https:/
Submitter: Jenkins
Branch: master
commit b77ec5cb5b3ed40 0b44302bdbd76e2 275d819da3
Author: James Polley <email address hidden>
Date: Sun Dec 7 17:29:54 2014 +0100
System dnsmasq daemon should only listen on lo
Neutron runs dnsmasq. That's all nice and good.
But just having dnsmasq installed means that the system runs a different
dnsmasq, which by default listens (and response) on all interfaces.
For machines that are accessible on the public internet, this means they
can be used in dns-amplification DOS attacks. This tends to make
security and network people sad.
This patch drops some config for the system dnsmasq which tell it to
only listen on 127.0.0.1.
If the deployer needs dnsmasq listening on other interfaces, another
file dropped in /etc/dnsmasq.d can be used to specifiy additional
interfaces or IP addreses.
Change-Id: I6b390e168c2f97 2b0beab52815922 bb6b2ccf786
Partial-bug: 1188067