Re: tcpd with xinetd
-> 3. The address check is based on the IP address of the
-> remote host and not on its domain address. We do this
-> so that we can avoid remote name lookups which may
-> take a long time (since xinetd is single-threaded, a
-> name lookup will prevent the daemon from accepting any
-> other requests until the lookup is resolved). The
-> down side of this scheme is that if the IP address of
-> a remote host changes, then access to that host may be
-> denied until xinetd is reconfigured. Whether access
-> is actually denied or not will depend on whether the
-> new host IP address is among those allowed access. For
-> example, if the IP address of a host changes from
-> 1.2.3.4 to 1.2.3.5 and only_from is specified as
-> 1.2.3.0 then access will not be denied.
->
-> Now, how can I allow access from *.utwente.nl to my host? Or from *.nl? As
-> I read the above paragraph, this is something xinetd can't do. With tcpd,
-> one can allow access from *.student.utwente.nl while denying access from
-> the rest of *.utwente.nl, with only two (obvious) lines. In xinetd.conf,
-> this would be a lot more difficult since *.utwente.nl is 130.89.0.0 -
-> 130.89.255.255 and *.student.utwente.nl is 130.89.220.0 - 130.89.234.255.
->
-> And how would I allow access to a particular service from *.nl while
-> denying access to that server from the rest of the world? This may seem
-> senseless, but AFAIK it's something xinetd can not easily do.
->
-> If the above is not true, please guide me to a source of information that
-> tells me how to do domain name based access control with xinetd.
->
-> Note that I am a happy xinetd user. This is just a feature that I miss
-> sometimes.
Try my patch :)
ftp.tuke.sk:/pub/unix/security/tcpd_xinetd.patch
of course you'd need to recompile tcpd with that :(
but it works on my machines and I happyly use xinetd and tcpd together
joining their advantages
--
Matus "fantomas" Uhlar, sysadmin at NETLAB+ Kosice, Slovakia
BIC coord for *.sk; admin of netlab.irc.sk; co-admin of irc.felk.cvut.cz
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: