dccifd listening on every interface

Vernon Schryver vjs@calcite.rhyolite.com
Tue Jun 20 15:44:41 UTC 2006

> From: John Eikenberry 

> I recently started using dccifd with my local spamassassin setup. I have it
> up and running and it works great. My only concern is that I'm getting
> reports from my tiger audits about dccifd listening on every interface,
> which netstat bears out. Other times, when not getting these reports,
> dccifd just has an established udp port on the localhost interface. Of
> course in both situations there are the usual domain sockets and
> established connections to the servers.
> I'm not really an expert on these things but have been doing this for a
> while and I try to keep a tight rein on my open ports. Is this expected
> behaviour I should filter out of my tiger reports or is there some
> configuation option I am missing.
> I can provide more information as needed, but am mainly just looking for an
> brief explanation or indication about whether this is something I should
> worry about.

If you have reason to be concerned about the ports on which dccifd
listens, then you should turn off dccifd.  Either it is safe and does
not act on external orders, or it is unsafe and should be turned off.
Because the DCC client-server protocol is binary and involves explicit
lengths, one would not expect typical "buffer overruns."

That description of open ports does not make a lot of sense to me.  
  - dccifd does not use the loopback interface except when 
     + using DNS blacklists configured with -B
     + there is a local DNS server
     + dccifd is configured as an SMTP proxy perhaps to act as a 
         postfix before-queue filter
     + TCP is used instead of a UNIX domain socket to talk to the MTA

  - Dccifd does not use TCP except when configured to use TCP instead
     of a UNIX domain socket to talk to the MTA, and so talk of
     established connections to servers don't make sense.  Perhaps
     what is meant are UDP sockets connected to the currently choosen
     DCC server.

  - Dccifd does not use getifaddrs() and so does not know about every
     network interface.  Sometimes while looking for a better (or any)
     accessible DCC server, dccifd uses a wildcard UDP socket, but that
     differs from having sockets bound to each network interface.

Vernon Schryver    vjs@rhyolite.com

More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.