From owner-freebsd-questions@FreeBSD.ORG Mon Jun 2 05:29:09 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2AE637B401 for ; Mon, 2 Jun 2003 05:29:09 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF46D43F93 for ; Mon, 2 Jun 2003 05:29:05 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h52CRaMJ019645 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 2 Jun 2003 13:27:47 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h52CRZlP019640; Mon, 2 Jun 2003 13:27:35 +0100 (BST) (envelope-from matthew) Date: Mon, 2 Jun 2003 13:27:35 +0100 From: Matthew Seaman To: Alexander Message-ID: <20030602122735.GA19194@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Alexander , freebsd-questions@freebsd.org References: <20030602093952.GA17201@happy-idiot-talk.infracaninophile.co.uk> <20030602130046.A27659-100000@amour.ath.cx> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fUYQa+Pmc3FrFX/N" Content-Disposition: inline In-Reply-To: <20030602130046.A27659-100000@amour.ath.cx> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-7.5 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-questions@freebsd.org Subject: Re: Changes to hosts.allow do no affect to inetd daemons some times X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 12:29:10 -0000 --fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 02, 2003 at 01:11:55PM +0200, Alexander wrote: > I really know what tcp wrappers is. I just can't exactly get your point. > I'm telling you that I shut the ftpd totaly, I've left just one line at > /etc/hosts.allow: ALL : ALL : deny >=20 > and when I simply telnet-ed my.host.com 21 it opened a connection. Ah. If TCP wrappers is working correctly, you should see the connection open and then close either almost immediately or as soon as you try and pass any traffic. A port scanner, like nmap(1) will show the port as open. You certainly shouldn't see any FTP banners or other FTP traffic if you telnet to the port though, and you should see a log message from TCP wrappers showing that it denied access. If you want to run an ftp service hidden completely from certain remote sites, then ipfw(8) or ipf(8) is your friend. What does 'tcpdmatch' say if you test it with various daemon names and client addresses? > I have also auth, pop3, smtp (qmail actually) >=20 > I've shutted the qmail totaly. The pop3 wasn't in use so it leaves to > auth. According to you if the auth service is active while I change > /etc/hosts.allow, there might be a problem with auth only ... but what > about the others ?! Does this affect them too ? As I said, I tried even to > kill inetd. Nothing helped If you kill inetd entirely, then all of the ports managed by inetd should be closed, as 'netstat -a' should show. There are 5 different example lines for the 'auth' service in /etc/inetd.conf, 4 of which are internal inetd services using 'nowait'. Just use one or more of those, rather than the external identd. 'auth' is meant to be a security thing, but honestly it's pretty much useless --- correctly paranoid system administrators will worry that it reveals entirely too much about the internal setup of their systems and either shut it off or configure it to lie by default. Personally I tend to set up my firewalls to just reset connections to port 113 (nb. not drop, as that will lead to annoying delays) and not run any auth service at all: % grep 113 /etc/happy-idiot-talk.ipfw=20 add 1300 reset tcp from any to 81.2.69.216/29{218,219} 113 setup in rec= v de0 > Again, it's not happening just to a single wrapped daemon, it's happening > to all in /etc/inetd.conf What flags are you supplying when you start up inetd? The default is: inetd_flags=3D"-wW" which turns on the TCP wrappers for internal (W) and external (w) services via inetd. If you've modified the inetd_flags setting in /etc/rc.conf, you should make sure you include those two letters. If you're still flummoxed, try running inetd with the '-d' (debug) flag and test making some connections. Cheers, Matthew =09 --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --fUYQa+Pmc3FrFX/N Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+20K3dtESqEQa7a0RAsS3AJ46a4SkKU24CZwgzAK2H7cGSHatoQCdF9bO /C/wniZVeS/eRYGcIHjlfx4= =tRQr -----END PGP SIGNATURE----- --fUYQa+Pmc3FrFX/N--