Tcpwrapper 7.6 - feature -

From: Gigi Sullivan (sullivanat_private)
Date: Sat Sep 19 1998 - 09:41:47 PDT

Next message: costello, don: "Re: NMRC Advisory - Default NDS Rights"

Previous message: Alan Cox: "Re: Incorrect Linux ARP behavior"
Next in thread: Niall Smart: "Re: Tcpwrapper 7.6 - feature -"
Reply: Niall Smart: "Re: Tcpwrapper 7.6 - feature -"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello there :)

Well, all we know tcpwrapper (W. Venema) and all its features.
I wrote a very small stuff that could be usefull (I hope) to those of you
that are using tcpwrapper, but that doesn't run any kinda of firewall.
This "new" feature allow you to force the TCP layer to elict an RST
segment to drop a denyed connection (instead of the usual 4-"FIN"
segment).

All you have to do is to add in your /etc/hosts.deny file a line like the
follow one:

daemon_list : client_list : rst

This shouldn't lead to data corruption (as said in RFC 1337) and could
"simulate" some simple firewall actions, imho.

For those who are interested here is the options.c diff file.
(If no one is interested, just drop this msg. Sorry :))
Tcpwrapper version 7.6

*** options.orig        Sat Sep 19 18:12:15 1998
--- options.c   Sat Sep 19 18:16:42 1998
***************
*** 85,90 ****
--- 85,91 ----
  static void allow_option();           /* execute "allow" option */
  static void deny_option();            /* execute "deny" option */
  static void banners_option();         /* execute "banners path" option */
+ static void rst_option();             /* force the TCP layer to elict an RST segment */

  /* Structure of the options table. */

***************
*** 122,127 ****
--- 123,129 ----
      "allow", allow_option, USE_LAST,
      "deny", deny_option, USE_LAST,
      "banners", banners_option, NEED_ARG,
+     "rst", rst_option, 0,
      0,
  };

***************
*** 331,336 ****
--- 333,356 ----
            tcpd_warn("setsockopt SO_LINGER %d: %m", linger.l_linger);
      }
  }
+
+ /* rst_option - The TCP layer will elict an RST instead of FIN segments */
+ /* Lorenzo Cavallaro <sullivanat_private> ... just FYI :) */
+
+ static void rst_option(value, request)
+ char *value;
+ struct request_info *request;
+ {
+     struct linger linger;
+
+     linger.l_onoff = 1;
+     linger.l_linger = 0;
+     if (dry_run == 0) {
+         if (setsockopt(request->fd, SOL_SOCKET, SO_LINGER, (char *) &linger,
+                        sizeof(linger)) < 0)
+             tcpd_warn("setsockopt SO_LINGER (RST): %m");
+     }
+ }

  /* keepalive_option - set the socket keepalive option */


Bye bye


                        -- gg sullivan


--
Lorenzo Cavallaro
Intesis SECURITY LAB            Phone: +39-2-671563.1
Via Settembrini, 35             Fax: +39-2-66981953
I-20124 Milano  ITALY           Email: sullivanat_private

Next message: costello, don: "Re: NMRC Advisory - Default NDS Rights"
Previous message: Alan Cox: "Re: Incorrect Linux ARP behavior"
Next in thread: Niall Smart: "Re: Tcpwrapper 7.6 - feature -"
Reply: Niall Smart: "Re: Tcpwrapper 7.6 - feature -"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:55 PDT