Re: hosts.allow does not resolve names
- From: Bit Twister <BitTwister@xxxxxxxxxxxxxxxx>
- Date: Tue, 27 Nov 2007 20:52:56 GMT
On Tue, 27 Nov 2007 13:26:08 -0600, Moe Trin wrote:
article <slrnfkngs1.cog.BitTwister@xxxxxxxxxxxxxxx>, Bit Twister wrote:
OPINION: I don't like to use hostnames, as they are subject to spoofing.
IP addresses are harder to spoof. Yes, in this case, it shouldn't be
a major concern, but I go for blanket solutions.
I hear where you are comming from. Was just trying to keep maintenance
down while changing LAN ip values. Last resort is to script the LAN ip change.
/etc/hosts.allow fails with
ALL: .home.invalid
but ALL: 192.168.1.0/255.255.255.0 works.
OK - syntax looks correct. No errant space or anything?
Nope, latest test
ALL: 192.168.1.
works,
ALL: .home.invalid
fails. So does ALL: wb.home.invalid, m2008.home.invalid
$ cat /etc/host.conf
order hosts,bind
multi on
nospoof on
spoofalert on
If you drop the last two, does it work?
No, and changing last two to off did not work either.
$ head -4 /etc/hosts
OK. Assumption is no other lines containing those IP addresses.
No,
$ grep 213 /etc/hosts
192.168.1.213 m2008.home.invalid m2008
$ grep m2008 /etc/hosts
192.168.1.213 m2008.home.invalid m2008
If you do a 'strings | grep host /path/to/tcpd' you will see that it's
using a standard 'gethostbyaddr' and 'gethostbyname' library calls, so
if you can 'ping -c 1 m2008.home.invalid' then tcpd _should_ work.
Dang it, pings work, but NFS mount still fails with ALL: .home.invalid
Nov 27 13:57:33 m2008 portmap[4702]: connect from 192.168.1.130 \
to getport(nfs): request from unauthorized host
$ cat /etc/exports
/local wb(rw,no_root_squash,sync)
$ ping -c 1 wb
PING wb.home.invalid (192.168.1.130) 56(84) bytes of data.
64 bytes from wb.home.invalid (192.168.1.130): icmp_seq=1 ttl=64 time=0.185 ms
--- wb.home.invalid ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.185/0.185/0.185/0.000 ms
as one of the error messages. In your followup, you show tcpd logging
the full name, so I _believe_ it is resolving the name (otherwise, it
would be logging the IP), or am I mis-interpreting your mail snip?
It would be misleading
$ cat /etc/hosts.deny
ALL: ALL:\
spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s \"$(uname -n)\" root ) & : DENY
#****************** end hosts.deny ************
but system is resolving correctly
$ ping -c 1 $(uname -n)
PING m2008.home.invalid (192.168.1.213) 56(84) bytes of data.
64 bytes from m2008.home.invalid (192.168.1.213) icmp_seq=1 ttl=64 time=0.075 ms
--- m2008.home.invalid ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.075/0.075/0.075/0.000 ms
That's a problem. Wietse Venema hasn't been maintaining the application
for many years (7.6 is from March 1997), while xinetd was introduced in
late 2000. You might try an 'strace' of xinitd but that sounds kind of
messy.
Yes, that would be a bit of tracing since I am trying to make an NFS
mount from wb.home.invalid
Open/no firewalls on both systems makes no difference.
Thank you for your time.
.
- Follow-Ups:
- Re: hosts.allow does not resolve names
- From: Moe Trin
- Re: hosts.allow does not resolve names
- References:
- hosts.allow does not resolve names
- From: Bit Twister
- Re: hosts.allow does not resolve names
- From: Moe Trin
- hosts.allow does not resolve names
- Prev by Date: Re: Fundamentals: what packets are dropped by the kernel?
- Next by Date: Re: hosts.allow does not resolve names
- Previous by thread: Re: hosts.allow does not resolve names
- Next by thread: Re: hosts.allow does not resolve names
- Index(es):
Relevant Pages
|
