diff options
| -rw-r--r-- | doc/s6-tcpserver-access.html | 5 | ||||
| -rw-r--r-- | src/conn-tools/s6-tcpserver-access.c | 2 |
2 files changed, 4 insertions, 3 deletions
diff --git a/doc/s6-tcpserver-access.html b/doc/s6-tcpserver-access.html index 3746118..6de1ca6 100644 --- a/doc/s6-tcpserver-access.html +++ b/doc/s6-tcpserver-access.html @@ -123,8 +123,9 @@ for legacy programs that need it. </li> <li> <tt>-p</tt> : paranoid. After looking up a name for the remote host, s6-tcpserver-access will lookup IP addresses for this name, and drop the connection if none of the results matches the address the connection -is originating from. Note that this still does not replace real -authentication via a cryptographic protocol. </li> +is originating from. For safest results, pair that option with <tt>-w</tt> +so any DNS error drops the connection. (Note that this still does not replace real +authentication via a cryptographic protocol.) </li> <li> <tt>-l <em>localname</em></tt> : use <em>localname</em> as the value for the ${PROTO}LOCALHOST environment variable, instead of looking it up in the DNS. </li> diff --git a/src/conn-tools/s6-tcpserver-access.c b/src/conn-tools/s6-tcpserver-access.c index cd9d1e0..8db7bf9 100644 --- a/src/conn-tools/s6-tcpserver-access.c +++ b/src/conn-tools/s6-tcpserver-access.c @@ -123,7 +123,7 @@ int main (int argc, char const *const *argv) } if (!argc) dieusage() ; if (!*argv[0]) dieusage() ; - if (flagparanoid) flagdnslookup = flagfatal = 1 ; + if (flagparanoid) flagdnslookup = 1 ; proto = getenv("PROTO") ; if (!proto) strerr_dienotset(100, "PROTO") ; |
