On May 22, 2007, at 10:46, Maxim Khitrov wrote:
On 5/22/07, doug <[EMAIL PROTECTED]> wrote:
On Tue, 22 May 2007, Maxim Khitrov wrote:
> On 5/22/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>> I suspect sendmail is reading /etc/hosts.allow
>>
>> # Start by allowing everything (this prevents the rest of the file
>> # from working, so remove it when you need protection).
>> # The rules here work on a "First match wins" basis.
>> #ALL : ALL : allow
>>
>> Did you comment out the above line?
>>
>> Steve
>
> Here's the entire file as it is right now:
>
> # Deny sendmail to all clients (temporary)
> sendmail : all : deny
>
> # Allow anything from localhost
> all : <local ip> : allow
>
> # Process SSH deny rules
> sshd : /etc/hosts.evil : deny
>
> # Allow everything else
> all : all : allow
>
> Once I can get sendmail to block all connection requests, I'll
move it
> below the second rule. That way, only local processes will be
able to
> use it. For now, however, that rule is being ignored completely.
The default configuration gives you what you want so I assume your
goal is to
see if you can make hosts.allow work within a jail. In general
there are
performance reasons not to use inetd to control ssh and sendmail.
ssh under
inetd causes more key generation. Sendmail has its own controls
which give you
the equivalent (or better) than can be done with inetd.
I assume from an earlier post you are trying to make this work
inside a jail. If
thats true you must also have in the jail rc.conf
inetd_flags="-wW -a your-ip-address"
I assume you have this or you would not have been able to control
ssh. All that
said, I have only used inetd to control ftp/imap/pop3. It seems to
me your
specific question is: does this work inside a jail and is any
special setup
required to make it work with sendmail. Sorry I can not help more.
Doug
I'm not sure I understand what you mean... I'm not using inetd, and
the default configuration doesn't block sendmail from all remote
hosts. The ssh server is running all by itself, same as sendmail. The
way I understand it is that as long as the server was compiled with
tcp wrappers, it should follow the rules in hosts.allow.
tcp wrappers must be coded into the application. The call which
actually checks the access permissions in the hosts.allow file is
hosts_access() (see man hosts_access). Checking through the sendmail
source for version 8.13.8, there are no calls to hosts_access in the
source code. You will need to patch sendmail to make it do what you
want. There might be patches at www.sendmail.org for that, but I
doubt it. openssh's sshd.c is probably a good template to use.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
