Re: tcpd with xinetd

To: remco@Cal011205.student.utwente.nl (Remco Blaakmeer)
Cc: debian-devel@lists.debian.org
Subject: Re: tcpd with xinetd
From: Matus "fantomas" Uhlar <uhlar@fantomas.sk>
Date: Sun, 5 Jul 1998 14:10:16 +0200 (CEST)
Message-id: <[🔎] 199807051210.OAA17067@fantomas.fantomas.sk>
In-reply-to: <[🔎] Pine.LNX.3.96.980704213643.10997F-100000@blaakmeer.student.utwente.nl> from Remco Blaakmeer at "Jul 4, 98 10:24:02 pm"

->        3.  The address check is based on the IP  address  of  the
->            remote  host and not on its domain address. We do this
->            so that we can avoid remote  name  lookups  which  may
->            take  a  long time (since xinetd is single-threaded, a
->            name lookup will prevent the daemon from accepting any
->            other  requests  until  the  lookup is resolved).  The
->            down side of this scheme is that if the IP address  of
->            a remote host changes, then access to that host may be
->            denied until xinetd is reconfigured.   Whether  access
->            is  actually  denied or not will depend on whether the
->            new host IP address is among those allowed access. For
->            example,  if  the  IP  address  of a host changes from
->            1.2.3.4 to  1.2.3.5  and  only_from  is  specified  as
->            1.2.3.0 then access will not be denied.
-> 
-> Now, how can I allow access from *.utwente.nl to my host? Or from *.nl? As
-> I read the above paragraph, this is something xinetd can't do. With tcpd,
-> one can allow access from *.student.utwente.nl while denying access from
-> the rest of *.utwente.nl, with only two (obvious) lines. In xinetd.conf,
-> this would be a lot more difficult since *.utwente.nl is 130.89.0.0 -
-> 130.89.255.255 and *.student.utwente.nl is 130.89.220.0 - 130.89.234.255.
-> 
-> And how would I allow access to a particular service from *.nl while
-> denying access to that server from the rest of the world? This may seem
-> senseless, but AFAIK it's something xinetd can not easily do.
-> 
-> If the above is not true, please guide me to a source of information that
-> tells me how to do domain name based access control with xinetd.
-> 
-> Note that I am a happy xinetd user. This is just a feature that I miss
-> sometimes.

Try my patch :) 
ftp.tuke.sk:/pub/unix/security/tcpd_xinetd.patch
of course you'd need to recompile tcpd with that :(
but it works on my machines and I happyly use xinetd and tcpd together
joining their advantages
-- 
 Matus "fantomas" Uhlar, sysadmin at NETLAB+ Kosice, Slovakia
 BIC coord for *.sk; admin of netlab.irc.sk; co-admin of irc.felk.cvut.cz


--  
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: tcpd with xinetd
  - From: Norbert Veber <nveber@vtech.ddns.org>

References:
- Re: tcpd with xinetd
  - From: Remco Blaakmeer <remco@blaakmeer.student.utwente.nl>

Prev by Date: Re: Mail delivery failed: returning message to sender
Next by Date: RFC: gnupg
Previous by thread: Re: tcpd with xinetd
Next by thread: Re: tcpd with xinetd
Index(es):
- Date
- Thread