From owner-freebsd-questions@FreeBSD.ORG Thu Feb 5 06:14:16 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD2A916A4D5 for ; Thu, 5 Feb 2004 06:14:16 -0800 (PST) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F0EA43D5C for ; Thu, 5 Feb 2004 06:14:14 -0800 (PST) (envelope-from gemini@geminix.org) Message-ID: <40224FB2.9000506@geminix.org> Date: Thu, 05 Feb 2004 15:14:10 +0100 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040119 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <6.0.2.0.2.20040131072955.00b54ee8@cheyenne.wixb.com> <20040131133924.GB48307@happy-idiot-talk.infracaninophile.co.uk> <6.0.2.0.2.20040131074525.00b3fdd8@cheyenne.wixb.com> In-Reply-To: <6.0.2.0.2.20040131074525.00b3fdd8@cheyenne.wixb.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 1AokGi-000IAu-00; Thu, 05 Feb 2004 15:14:12 +0100 Subject: Re: tcp blackhole and ident X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Feb 2004 14:14:16 -0000 J.D. Bronson wrote: > At 07:39 AM 1/31/2004, Matthew Seaman wrote: > >> On Sat, Jan 31, 2004 at 07:32:36AM -0600, J.D. Bronson wrote: >> > I have a question. I setup the following in sysctl.conf: >> > >> > net.inet.tcp.blackhole=2 >> > net.inet.udp.blackhole=1 >> > >> > ..Well this works, but now I have a new issue. >> > I run sendmail and as such, need to allow TCP 113 into this machine >> > and yet get CONNECTION REFUSED. - I dont want to run IDENT, but >> > need to still get the CONNECTION REFUSED... >> >> Run ipfw(8) or a similar firewall and set up a rule that sends an ICMP >> reject whenever it detects an incoming connection on port 113 as part >> of your firewall configuration. Eg. something like: >> >> 01600 reset tcp from any to me dst-port 113 setup > > Thanks...but I have quite a robust Cisco firewall in place ahead of the > freebsd machines...so I dont -need- to run ipfw...Hmmm... You can achieve this rejection on the application level as well. Here's how: 1. Run inetd with command line options '-wW' to enable libwrap support. 2. Enable inetd's internal auth service with auth stream tcp nowait root internal 3. Deny auth connections in libwrap's /etc/hosts.allow, like so: auth : ALL : severity debug : deny ALL : ALL : allow Now you have something (inetd) bound to port 113, so a connection can be established, but it gets dropped immediately due to the libwrap setup. This is sufficient to prevent timeouts on the remote end but at the same time leaks as little information as possible for an application level solution. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net