Re: tcpd with xinetd
On Sat, 4 Jul 1998, Norbert Veber wrote:
> > > 2. for example you cannot allow/deny .domain.tld in xinetd
> >
> > True. xinetd can do something with network names mentioned in
> > /etc/networks, though I have never figured out the exact format for this
> > file.
>
> Like I said in my other message which I forgot to send to the list :)
> xinetd can do that, read man xinetd.conf.
>From man xinetd.conf:
NOTES
<...>
3. The address check is based on the IP address of the
remote host and not on its domain address. We do this
so that we can avoid remote name lookups which may
take a long time (since xinetd is single-threaded, a
name lookup will prevent the daemon from accepting any
other requests until the lookup is resolved). The
down side of this scheme is that if the IP address of
a remote host changes, then access to that host may be
denied until xinetd is reconfigured. Whether access
is actually denied or not will depend on whether the
new host IP address is among those allowed access. For
example, if the IP address of a host changes from
1.2.3.4 to 1.2.3.5 and only_from is specified as
1.2.3.0 then access will not be denied.
Now, how can I allow access from *.utwente.nl to my host? Or from *.nl? As
I read the above paragraph, this is something xinetd can't do. With tcpd,
one can allow access from *.student.utwente.nl while denying access from
the rest of *.utwente.nl, with only two (obvious) lines. In xinetd.conf,
this would be a lot more difficult since *.utwente.nl is 130.89.0.0 -
130.89.255.255 and *.student.utwente.nl is 130.89.220.0 - 130.89.234.255.
And how would I allow access to a particular service from *.nl while
denying access to that server from the rest of the world? This may seem
senseless, but AFAIK it's something xinetd can not easily do.
If the above is not true, please guide me to a source of information that
tells me how to do domain name based access control with xinetd.
Note that I am a happy xinetd user. This is just a feature that I miss
sometimes.
Remco
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: