Date: Fri, 7 Sep 2001 14:22:33 -0700 From: "Nathan Miller" <nam20485@gladstone.uoregon.edu> To: <freebsd-questions@FreeBSD.ORG> Subject: tcpd problems Message-ID: <001d01c137e3$35b8ec60$2df3df80@uoregon.edu>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_001A_01C137A8.894023C0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I'm having trouble getting tcp_wrappers set up properly. The problem is =
this, when I setup /etc/hosts.allow with what (I think) are valid rules, =
I get unexpected behavior. For instance, when a I enter a rule such as:=20
telnetd : ALL : allow
and then try to telnet in from some machine I get the catch-all rule at =
the very bottom of a default hosts.allow:
ALL : ALL : twist.... echo "you are not allowed to use %d from %h"
and the telnet client issues "you are not allowed to use tcpd from <the =
client's ip>" (notice service is listed as TCPD, not telnetd).
So, no rules will work unless I add a line where ALL or TCPD is the =
service=20
TCPD/ALL : ... : ...
At which point everything works, well at least, the services started by =
inetd(ftpd and telnetd).
Now my rule for sshd doesn't seem to be affected, which works fine w/ a =
rule of
sshd : ALL : allow
I don't know if it's a coincidence or not, but the services which give =
me this trouble exactly the ones started from /etc/inetd.conf.=20
Now I have setup tcp_wrappers successfully before, the tcpd executable =
is there in /usr/local/libexec
inetd.conf is setup appropriately
...
ftp stream tcp nowait root /usr/local/libexec/tcpd ftpd -lS
telnet stream tcp nowait root /usr/local/libexec/tcpd telnetd
...
My suspicion is that tcpd is not matching the incoming service =
request(say, ftp) against a rule for the respective service (say, ftpd: =
ALL: allow)
b/c the service trying to be matched is tcpd, as evidenced by the macro =
expansion in the very bottom default rule dislpaying the service as =
tcpd.
ALL : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %c."
=3D=3D=3D>=20
Has anyone seen this problem before or has an idea what I am doing =
wrong? Any help would be much appreciated by this new FreeBSD user. =
Thanks in advance (and if you're reading this thanks for having enough =
patience to spend your time reading this rambling message)
Nathan Miller=20
------=_NextPart_000_001A_01C137A8.894023C0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4611.1300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>I'm having trouble getting tcp_wrappers =
set up=20
properly. The problem is this, when I setup /etc/hosts.allow with=20
what (I think) are valid rules, I get unexpected behavior. For =
instance, when a I enter a rule such as: </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>telnetd : ALL : allow</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>and then try to telnet in from some =
machine I get=20
the catch-all rule at the very bottom of a default=20
hosts.allow:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>ALL : ALL : twist.... echo "you are not =
allowed to=20
use %d from %h"</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>and the telnet client issues "you are =
not allowed=20
to use tcpd from <the client's ip>" (notice service is listed as =
TCPD, not=20
telnetd).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>So, no rules will work unless I add a =
line where=20
ALL or TCPD is the service </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>TCPD/ALL : ... : ...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>At which point everything works, well =
at least, the=20
services started by inetd(ftpd and telnetd).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Now my rule for sshd doesn't seem to be =
affected,=20
which works fine w/ a rule of</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>sshd : ALL : allow</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I don't know if it's a coincidence or =
not, but the=20
services which give me this trouble exactly the ones started from=20
/etc/inetd.conf. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Now I have setup tcp_wrappers =
successfully before,=20
the tcpd executable is there in /usr/local/libexec</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>inetd.conf is setup =
appropriately</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>ftp =
stream =20
tcp nowait root =20
/usr/local/libexec/tcpd ftpd -lS<BR>telnet stream =20
tcp nowait root =20
/usr/local/libexec/tcpd telnetd<BR>...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>My suspicion is that tcpd is not =
matching the=20
incoming service request(say, ftp) against a rule for the =
respective=20
service (say, ftpd: ALL: allow)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>b/c the service trying to be matched is =
tcpd, as=20
evidenced by the macro expansion in the very bottom default rule =
dislpaying=20
the service as tcpd.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>ALL : ALL=20
\<BR> : severity auth.info=20
\<BR> : twist /bin/echo "You =
are not=20
welcome to use %d from %c."<BR>=3D=3D=3D> </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Has anyone seen this problem before =
or has an=20
idea what I am doing wrong? Any help would be much appreciated by =
this new=20
FreeBSD user. Thanks in advance (and if you're reading this =
thanks for=20
having enough patience to spend your time reading this rambling=20
message)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Nathan =
Miller</FONT> </DIV></BODY></HTML>
------=_NextPart_000_001A_01C137A8.894023C0--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001d01c137e3$35b8ec60$2df3df80>