Date: Mon, 2 Jun 2003 13:11:55 +0200 (CEST) From: Alexander <amour@amour.ath.cx> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: Changes to hosts.allow do no affect to inetd daemons some times Message-ID: <20030602130046.A27659-100000@amour.ath.cx> In-Reply-To: <20030602093952.GA17201@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello I really know what tcp wrappers is. I just can't exactly get your point. I'm telling you that I shut the ftpd totaly, I've left just one line at /etc/hosts.allow: ALL : ALL : deny and when I simply telnet-ed my.host.com 21 it opened a connection. I have also auth, pop3, smtp (qmail actually) I've shutted the qmail totaly. The pop3 wasn't in use so it leaves to auth. According to you if the auth service is active while I change /etc/hosts.allow, there might be a problem with auth only ... but what about the others ?! Does this affect them too ? As I said, I tried even to kill inetd. Nothing helped Again, it's not happening just to a single wrapped daemon, it's happening to all in /etc/inetd.conf Thanks On Mon, 2 Jun 2003, Matthew Seaman wrote: > On Mon, Jun 02, 2003 at 10:46:25AM +0200, Alexander wrote: > > So what you say is that if I had opened identd socket for example then > > updating /etc/hosts.allow and changing rules for ftpd won't take affect on > > ftpd after new connection ? (assuming that noone is using my ftpd at all) > > Uh -- no. The ftpd lines in /etc/inetd.conf look like this by default: > > ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l > ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -l > > Since the service is marked 'nowait', inetd will handle all incoming > connections to the ftp port and spawn a new copy of ftpd to service > each different session. inetd will apply the changed tcp wrappers > filters to each new ftp connection as it occurs. It won't > retrospectively modify any active ftp sessions. > > Most things in /etc/inetd.conf are marked 'nowait', and of the things > that are marked 'wait' the vast majority are either 'internal' -- > built into inetd -- or they are for RPC based services, in which case > the TCP wrappers support built into portmap(8) (aka rpcbind(8) on > FreeBSD 5.x) will be what's important. In the default inetd.conf > file, there are only 7 exceptions: > > % grep '\bwait' /etc/inetd.conf | grep -v 'internal\|rpc' > #comsat dgram udp wait tty:tty /usr/libexec/comsat comsat > #ntalk dgram udp wait tty:tty /usr/libexec/ntalkd ntalkd > #tftp dgram udp wait root /usr/libexec/tftpd tftpd -s /tftpboot > #tftp dgram udp6 wait root /usr/libexec/tftpd tftpd -s /tftpboot > #bootps dgram udp wait root /usr/libexec/bootpd bootpd > #auth stream tcp wait root /usr/local/sbin/identd identd -w -t120 > #netbios-ns dgram udp wait root /usr/local/sbin/nmbd nmbd > > So only if you have enabled one or more of those services and there > are instances of those processes running should you need to kill and > restart them to be sure that your modifications to /etc/hosts.allow > will be applied. Nb. you don't need to restart inetd itself, just > kill the running instances of ntalkd, bootpd etc. inetd will cope with > starting new ones as required. > > For more info about TCP wrappers, look at > > ftp://ftp.porcupine.org/pub/security/tcp_wrapper.ps.Z -or- > ftp://ftp.porcupine.org/pub/security/tcp_wrapper.txt.Z > > (Wietse Venema's presentation to the 3rd Unix Security Symposium) > > -plus- > > http://www.freebsd.org/cgi/cvsweb.cgi/src/contrib/tcp_wrappers/README?rev=1.1.1.1.2.1&content-type=text/x-cvsweb-markup > > but bear in mind that the FreeBSD inetd has the tcp_wrappers stuff > built in, so no need for the separate tcpd program. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks > Savill Way > PGP: http://www.infracaninophile.co.uk/pgpkey Marlow > Tel: +44 1628 476614 Bucks., SL7 1TH UK >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030602130046.A27659-100000>