Date: Fri, 7 Sep 2001 14:22:33 -0700 From: "Nathan Miller" <nam20485@gladstone.uoregon.edu> To: <freebsd-questions@FreeBSD.ORG> Subject: tcpd problems Message-ID: <001d01c137e3$35b8ec60$2df3df80@uoregon.edu>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
I'm having trouble getting tcp_wrappers set up properly. The problem is this, when I setup /etc/hosts.allow with what (I think) are valid rules, I get unexpected behavior. For instance, when a I enter a rule such as:
telnetd : ALL : allow
and then try to telnet in from some machine I get the catch-all rule at the very bottom of a default hosts.allow:
ALL : ALL : twist.... echo "you are not allowed to use %d from %h"
and the telnet client issues "you are not allowed to use tcpd from <the client's ip>" (notice service is listed as TCPD, not telnetd).
So, no rules will work unless I add a line where ALL or TCPD is the service
TCPD/ALL : ... : ...
At which point everything works, well at least, the services started by inetd(ftpd and telnetd).
Now my rule for sshd doesn't seem to be affected, which works fine w/ a rule of
sshd : ALL : allow
I don't know if it's a coincidence or not, but the services which give me this trouble exactly the ones started from /etc/inetd.conf.
Now I have setup tcp_wrappers successfully before, the tcpd executable is there in /usr/local/libexec
inetd.conf is setup appropriately
...
ftp stream tcp nowait root /usr/local/libexec/tcpd ftpd -lS
telnet stream tcp nowait root /usr/local/libexec/tcpd telnetd
...
My suspicion is that tcpd is not matching the incoming service request(say, ftp) against a rule for the respective service (say, ftpd: ALL: allow)
b/c the service trying to be matched is tcpd, as evidenced by the macro expansion in the very bottom default rule dislpaying the service as tcpd.
ALL : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %c."
===>
Has anyone seen this problem before or has an idea what I am doing wrong? Any help would be much appreciated by this new FreeBSD user. Thanks in advance (and if you're reading this thanks for having enough patience to spend your time reading this rambling message)
Nathan Miller
[-- Attachment #2 --]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4611.1300" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>I'm having trouble getting tcp_wrappers set up
properly. The problem is this, when I setup /etc/hosts.allow with
what (I think) are valid rules, I get unexpected behavior. For
instance, when a I enter a rule such as: </FONT></DIV>
<DIV><FONT face=Arial size=2>telnetd : ALL : allow</FONT></DIV>
<DIV><FONT face=Arial size=2>and then try to telnet in from some machine I get
the catch-all rule at the very bottom of a default
hosts.allow:</FONT></DIV>
<DIV><FONT face=Arial size=2>ALL : ALL : twist.... echo "you are not allowed to
use %d from %h"</FONT></DIV>
<DIV><FONT face=Arial size=2>and the telnet client issues "you are not allowed
to use tcpd from <the client's ip>" (notice service is listed as TCPD, not
telnetd).</FONT></DIV>
<DIV><FONT face=Arial size=2>So, no rules will work unless I add a line where
ALL or TCPD is the service </FONT></DIV>
<DIV><FONT face=Arial size=2>TCPD/ALL : ... : ...</FONT></DIV>
<DIV><FONT face=Arial size=2>At which point everything works, well at least, the
services started by inetd(ftpd and telnetd).</FONT></DIV>
<DIV><FONT face=Arial size=2>Now my rule for sshd doesn't seem to be affected,
which works fine w/ a rule of</FONT></DIV>
<DIV><FONT face=Arial size=2>sshd : ALL : allow</FONT></DIV>
<DIV><FONT face=Arial size=2>I don't know if it's a coincidence or not, but the
services which give me this trouble exactly the ones started from
/etc/inetd.conf. </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Now I have setup tcp_wrappers successfully before,
the tcpd executable is there in /usr/local/libexec</FONT></DIV>
<DIV><FONT face=Arial size=2>inetd.conf is setup appropriately</FONT></DIV>
<DIV><FONT face=Arial size=2>...</FONT></DIV>
<DIV><FONT face=Arial size=2>ftp stream
tcp nowait root
/usr/local/libexec/tcpd ftpd -lS<BR>telnet stream
tcp nowait root
/usr/local/libexec/tcpd telnetd<BR>...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>My suspicion is that tcpd is not matching the
incoming service request(say, ftp) against a rule for the respective
service (say, ftpd: ALL: allow)</FONT></DIV>
<DIV><FONT face=Arial size=2>b/c the service trying to be matched is tcpd, as
evidenced by the macro expansion in the very bottom default rule dislpaying
the service as tcpd.</FONT></DIV>
<DIV><FONT face=Arial size=2>ALL : ALL
\<BR> : severity auth.info
\<BR> : twist /bin/echo "You are not
welcome to use %d from %c."<BR>===> </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Has anyone seen this problem before or has an
idea what I am doing wrong? Any help would be much appreciated by this new
FreeBSD user. Thanks in advance (and if you're reading this thanks for
having enough patience to spend your time reading this rambling
message)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Nathan Miller</FONT> </DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001d01c137e3$35b8ec60$2df3df80>