From owner-freebsd-questions@FreeBSD.ORG  Mon Jun  2 04:11:58 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 98F8237B401
	for <freebsd-questions@freebsd.org>;
	Mon,  2 Jun 2003 04:11:58 -0700 (PDT)
Received: from amour.ath.cx (p213.54.243.32.tisdip.tiscali.de [213.54.243.32])
	by mx1.FreeBSD.org (Postfix) with SMTP id 2266A43F75
	for <freebsd-questions@freebsd.org>;
	Mon,  2 Jun 2003 04:11:57 -0700 (PDT)
	(envelope-from amour@amour.ath.cx)
Received: (qmail 28004 invoked by uid 1001); 2 Jun 2003 11:11:55 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 2 Jun 2003 11:11:55 -0000
Date: Mon, 2 Jun 2003 13:11:55 +0200 (CEST)
From: Alexander <amour@amour.ath.cx>
To: Matthew Seaman <m.seaman@infracaninophile.co.uk>
In-Reply-To: <20030602093952.GA17201@happy-idiot-talk.infracaninophile.co.uk>
Message-ID: <20030602130046.A27659-100000@amour.ath.cx>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-questions@freebsd.org
Subject: Re: Changes to hosts.allow do no affect to inetd daemons some times
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jun 2003 11:11:59 -0000

Hello

I really know what tcp wrappers is. I just can't exactly get your point.
I'm telling you that I shut the ftpd totaly, I've left just one line at
/etc/hosts.allow: ALL : ALL : deny

and when I simply telnet-ed my.host.com 21 it opened a connection.

I have also auth, pop3, smtp (qmail actually)

I've shutted the qmail totaly. The pop3 wasn't in use so it leaves to
auth. According to you if the auth service is active while I change
/etc/hosts.allow, there might be a problem with auth only ... but what
about the others ?! Does this affect them too ? As I said, I tried even to
kill inetd. Nothing helped

Again, it's not happening just to a single wrapped daemon, it's happening
to all in /etc/inetd.conf

Thanks

On Mon, 2 Jun 2003, Matthew Seaman wrote:

> On Mon, Jun 02, 2003 at 10:46:25AM +0200, Alexander wrote:
> > So what you say is that if I had opened  identd socket for example then
> > updating /etc/hosts.allow and changing rules for ftpd won't take affect on
> > ftpd after new connection ? (assuming that noone is using my ftpd at all)
>
> Uh -- no.  The ftpd lines in /etc/inetd.conf look like this by default:
>
>     ftp    stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l
>     ftp    stream  tcp6    nowait  root    /usr/libexec/ftpd       ftpd -l
>
> Since the service is marked 'nowait', inetd will handle all incoming
> connections to the ftp port and spawn a new copy of ftpd to service
> each different session.  inetd will apply the changed tcp wrappers
> filters to each new ftp connection as it occurs.  It won't
> retrospectively modify any active ftp sessions.
>
> Most things in /etc/inetd.conf are marked 'nowait', and of the things
> that are marked 'wait' the vast majority are either 'internal' --
> built into inetd -- or they are for RPC based services, in which case
> the TCP wrappers support built into portmap(8) (aka rpcbind(8) on
> FreeBSD 5.x) will be what's important.  In the default inetd.conf
> file, there are only 7 exceptions:
>
>     % grep '\bwait' /etc/inetd.conf | grep -v 'internal\|rpc'
>     #comsat dgram   udp     wait    tty:tty /usr/libexec/comsat     comsat
>     #ntalk  dgram   udp     wait    tty:tty /usr/libexec/ntalkd     ntalkd
>     #tftp   dgram   udp     wait    root    /usr/libexec/tftpd      tftpd -s /tftpboot
>     #tftp   dgram   udp6    wait    root    /usr/libexec/tftpd      tftpd -s /tftpboot
>     #bootps dgram   udp     wait    root    /usr/libexec/bootpd     bootpd
>     #auth   stream  tcp     wait    root    /usr/local/sbin/identd  identd -w -t120
>     #netbios-ns dgram udp   wait            root    /usr/local/sbin/nmbd    nmbd
>
> So only if you have enabled one or more of those services and there
> are instances of those processes running should you need to kill and
> restart them to be sure that your modifications to /etc/hosts.allow
> will be applied.  Nb. you don't need to restart inetd itself, just
> kill the running instances of ntalkd, bootpd etc. inetd will cope with
> starting new ones as required.
>
> For more info about TCP wrappers, look at
>
>     ftp://ftp.porcupine.org/pub/security/tcp_wrapper.ps.Z  -or-
>     ftp://ftp.porcupine.org/pub/security/tcp_wrapper.txt.Z
>
>        (Wietse Venema's presentation to the 3rd Unix Security Symposium)
>
>     -plus-
>
>     http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/tcp_wrappers/README?rev=1.1.1.1.2.1&content-type=text/x-cvsweb-markup
>
> but bear in mind that the FreeBSD inetd has the tcp_wrappers stuff
> built in, so no need for the separate tcpd program.
>
> 	Cheers,
>
> 	Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
>                                                       Savill Way
> PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
> Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
>