Is there a way to configure the backend to only listen on the localhost adapter? I have my firewall configured to only allow connections from localhost, but I like "layers of protection" and would also like to limit the backend seperately from the firewall, if possible.

What I have:

What I want:

what are you trying to limit? your wife accessing the backend with a rouge unauthorized frontend in the basement?

_________________
R5F1 - Dell P4 2.4Ghz 500MB - PVR250 x 2 - GeForce FX 5200 - Onboard sound/NIC 80GB ATA/250GB ATA/400GB SATA

Just basic security. Step one is always to shut off all unneeded services. Step two is to limit those services you do need, to only those who really need them. I could go on and on about strong passwords, tight firewalls, partitioning and readonly filesystems, rings (layers) of security, etc. Have you ever wondered how many computers out there would be happy to let you waltz right on in by ssh-ing with a username of mythv and a password of mythtv (or some trivially close permutation to that)? It makes me shudder to think about it.

And no, the wife's rogue frontend in the basement does NOT need to talk to my backend. And if the day ever comes that it DOES, it will have to authenticate with a pubkey, tunnel in an encrypted port forward via ssh, and carefully avoid all the other boobie trapped ports that will automatically generate an iptables rule to block it into oblivion! (Among other things!)

And I thought, *I* was a security paranoic...

My setup is simple. I don't have the myth box connected directlly to net, it is goes
though a another linux box doing masquerading that is not listening on any ports
except 22 and then only from the one 10.x.x.x address that I use to connect to it
from. When I do want to get to my machine from the outside I set up a port forward
just the IP I am tring to reach it from. My myth box is also running its own set of
iptables rules..

So --- What I saying is that if you want another layer --

Any old box will do a good job with IP masq.