On Thu, Feb 12, 2004 at 11:33:10AM -0500, Josh Koffman wrote:

Way off topic.

> Ok, I'm desperate. I've tried everything I know how to try, and it's not
> working. And I can't figure out why.

I can help.

>
> I am running Debian with a 2.2.19 kernel. I know 2.6 is out, but I don't
> want to upgrade right now. There is going to be a major overhaul coming
> in a month or so, and I don't want to waste time upgrading this machine
> right now.

OK.

>
> Here is what I am trying to do. I am attempting to block access to my
> linux box from all addresses starting with 141.117.*.* except the few
> within that range that I specify.

Typical.

> So, my first thought was hosts.allow
> and hosts.deny. I added the address above (with netmask) to hosts.deny,
> (ALL:141.117.0.0/255.255.0.0), and the address I want to be able to
> access the box (ALL:141.117.*.*) to hosts.allow.

OK. Here's the question you need to ask yourself before we move on: How
is host.allow and host.deny utilized? Answer coming up.


> Then I started testing.
> The address I want to work worked fine. However, I am having issues with
> the blocked addresses. They won't connect to some services (ie the POP
> server) which is perfect, but they still connect to others, such as
> SMTP. I've even tried explicitly denying the IP of the machine I'm
> testing with, and I can still send mail through SMTP perfectly. I tried
> adding (ALL smtp: 141.117.0.0/255.255.0.0) or ALL exim:
> 141.117.0.0/255.255.0.0) but neither seem to work.

Right. And the reason is that answer to my question above: hosts.allow and
hosts.deny are used by the tcpd program. tcpd is invoked by inetd and is
configured via the /etc/inetd.conf file. For example on one of my machines
here is the POP3 entry in /etc/inetd.conf:

pop3    stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/popa3d

Note that tcpd is invoked, which checks the hosts.allow/hosts.deny and either
allows access by invoking popa3d or denies it.

But it only works if tcpd is invoked.

So now here the second question: What happens when you have a service that
doesn't use inetd, and therefore doesn't invoke tcpd?

Well you've seen your answer from the behavior above. sendmail runs all the
time, owns port 25, and is not invoked by inetd. So the hosts.allow and
hosts.deny files are never checked.

>
> I just don't understand how I can explicitly deny access, and it works
> for some things but SMTP works great.

See above. Now how to solve the problem. You need another tool that operates
at the kernel level: packet filtering. And the tools for doing this have
evolved over the years. 2.2 kernels used IPChains, 2.4 kernels use IPTables,
and I'm not sure how in the heck 2.6 kernels do it yet.

Take a read of this HOWTO, then take another crack at it:

http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html

>
> HELP!
Hope this helps,

>
> Thank you

You are welcome.

BAJ

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics