aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/s6-tcpserver-access.html5
-rw-r--r--src/conn-tools/s6-tcpserver-access.c2
2 files changed, 4 insertions, 3 deletions
diff --git a/doc/s6-tcpserver-access.html b/doc/s6-tcpserver-access.html
index 3746118..6de1ca6 100644
--- a/doc/s6-tcpserver-access.html
+++ b/doc/s6-tcpserver-access.html
@@ -123,8 +123,9 @@ for legacy programs that need it. </li>
<li> <tt>-p</tt>&nbsp;: paranoid. After looking up a name for the remote
host, s6-tcpserver-access will lookup IP addresses for this name, and drop
the connection if none of the results matches the address the connection
-is originating from. Note that this still does not replace real
-authentication via a cryptographic protocol. </li>
+is originating from. For safest results, pair that option with <tt>-w</tt>
+so any DNS error drops the connection. (Note that this still does not replace real
+authentication via a cryptographic protocol.) </li>
<li> <tt>-l&nbsp;<em>localname</em></tt>&nbsp;: use <em>localname</em>
as the value for the ${PROTO}LOCALHOST environment variable, instead of
looking it up in the DNS. </li>
diff --git a/src/conn-tools/s6-tcpserver-access.c b/src/conn-tools/s6-tcpserver-access.c
index cd9d1e0..8db7bf9 100644
--- a/src/conn-tools/s6-tcpserver-access.c
+++ b/src/conn-tools/s6-tcpserver-access.c
@@ -123,7 +123,7 @@ int main (int argc, char const *const *argv)
}
if (!argc) dieusage() ;
if (!*argv[0]) dieusage() ;
- if (flagparanoid) flagdnslookup = flagfatal = 1 ;
+ if (flagparanoid) flagdnslookup = 1 ;
proto = getenv("PROTO") ;
if (!proto) strerr_dienotset(100, "PROTO") ;