Bug#43161: marked as done (xinetd: obsolete /etc/init.d/netbase script included?)
Your message dated Sun, 26 Dec 1999 20:46:22 +0100
with message-id <19991226204622.A1535@jagor.srce.hr>
and subject line latest xinetd Debian package (2.1.8.7) fixes these problems
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Darren Benham
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Aug 1999 14:52:11 +0000
Received: (qmail 29271 invoked from network); 18 Aug 1999 14:52:03 -0000
Received: from 69-coru-x9.libre.retevision.es (HELO catshouse.minet.org) (62.82.100.69)
by master.debian.org with SMTP; 18 Aug 1999 14:52:03 -0000
Received: from localhost (fer@localhost)
by catshouse.minet.org (8.9.3/8.9.3/Debian/GNU) with SMTP id QAA00481
for <submit@bugs.debian.org>; Wed, 18 Aug 1999 16:45:29 +0200
Date: Wed, 18 Aug 1999 14:45:29 +0000 (GMT)
From: Fernando Sanchez <fsanchez@retemail.es>
To: submit@bugs.debian.org
Subject: xinetd: obsolete /etc/init.d/netbase script included?
Message-ID: <Pine.LNX.3.96.990818144422.474A-100000@catshouse.minet.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Package: xinetd
Version: 2.2.1-8
Severity: normal
I think /etc/init.d/netbase file installed by xinetd package is
obsolete, as it does not try to set spoof protection using
/proc/sys/net/ipv4/conf/*/rp_filter method, but only ipfwadm/ipchains
127.0.0.0 protection.
I suggest that the following spoofprotect () is used in that script (it is
taken from netbase 3.15-4), instead of the current one:
-----------------------------------------------------------------------------
spoofprotect () {
# This is the best method: turn on Source Address Verification and get
# spoof protection on all current and future interfaces.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
echo "done."
# rules for linux 2.0.x and 2.1.x (x < 102) kernels
elif [ -e /proc/net/ip_input ]; then
echo -n "Setting up IP spoofing protection..."
# delete and readd entry (this way we don't get duplicate entries)
# deny incoming packets pretending to be from 127.0.0.1
ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 2>/dev/null || true
ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 2>/dev/null || true
ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 >/dev/null
ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 >/dev/null
# deny incoming packets pretending to be from our own system.
# set your own IP address below (or use `hostname -i` to set it).
# my_ip=192.168.14.1
# ipfwadm -I -d deny -o -P all -S $my_ip -W eth0 -D 0/0 2>/dev/null || true
# ipfwadm -I -d deny -o -P all -S $my_ip -W eth1 -D 0/0 2>/dev/null || true
# ipfwadm -I -a deny -o -P all -S $my_ip -W eth0 -D 0/0 >/dev/null
# ipfwadm -I -a deny -o -P all -S $my_ip -W eth1 -D 0/0 >/dev/null
echo "done."
# rules for linux 2.1.x (x > 101) kernels
elif [ -e /proc/net/ip_fwchains ]; then
echo -n "Setting up IP spoofing protection..."
ipchains -D input -j DENY -l -s 127.0.0.0/8 -i ! lo 2>/dev/null || true
ipchains -A input -j DENY -l -s 127.0.0.0/8 -i ! lo
# deny incoming packets pretending to be from our own system.
# set your own IP address below (or use `hostname -i` to set it).
# my_ip=192.168.14.1
# ipchains -D input -j DENY -l -s $my_ip -i ! lo 2>/dev/null || true
# ipchains -A input -j DENY -l -s $my_ip -i ! lo
echo "done."
fi
}
-----------------------------------------------------------------------------
-- System Information
Debian Release: potato
Kernel Version: Linux catshouse 2.2.11 #1 Wed Aug 18 14:10:45 CEST 1999 i586 unknown
Versions of the packages xinetd depends on:
ii libc6 2.1.2-0pre7 GNU C Library: Shared libraries and timezone
ii netbase 3.15-4 Basic TCP/IP networking binaries
---------------------------------------
Received: (at 43161-done) by bugs.debian.org; 26 Dec 1999 19:46:28 +0000
Received: (qmail 30109 invoked from network); 26 Dec 1999 19:46:27 -0000
Received: from jagor.srce.hr (jrodin@161.53.2.130)
by master.debian.org with SMTP; 26 Dec 1999 19:46:27 -0000
Received: (from jrodin@localhost)
by jagor.srce.hr (8.9.0/8.9.0) id UAA01751;
Sun, 26 Dec 1999 20:46:22 +0100 (MET)
Date: Sun, 26 Dec 1999 20:46:22 +0100
From: Josip Rodin <jrodin@public.srce.hr>
To: 31500-done@bugs.debian.org, 35166-done@bugs.debian.org,
36809-done@bugs.debian.org, 37134-done@bugs.debian.org,
38361-done@bugs.debian.org, 41386-done@bugs.debian.org,
41568-done@bugs.debian.org, 43161-done@bugs.debian.org,
44099-done@bugs.debian.org, 44529-done@bugs.debian.org,
44537-done@bugs.debian.org, 45602-done@bugs.debian.org,
46572-done@bugs.debian.org, 46603-done@bugs.debian.org,
49398-done@bugs.debian.org, 49438-done@bugs.debian.org
Subject: latest xinetd Debian package (2.1.8.7) fixes these problems
Message-ID: <19991226204622.A1535@jagor.srce.hr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95i
Hi people,
All these problems you reported against Debian xinetd package
are fixed now. Please upgrade, if you can.
In case you wondered, the bugs haven't been closed until now because the
package maintainer wasn't around, and the package is in fact orphaned. I am
doing this as a member of the quality assurance group.
Thanks for reporting...
--
enJoy -*/\*- don't even try to pronounce my first name
Reply to: