net-snmp 5.5 tcp wrappers broken

2010-06-09 Thread krad 
Has anyone one else this behaviour

/etc/hosts.allow

ALL : X : allow
ALL : ALL : deny

do an simple system snmp query from host x fails
remove the deny all line and it starts working.

trussing the process shows snmpd calling lib wrap and accessing the
hosts.allow fine, just no joy. Earlier version on net-snmp 5.3 i upgraded
from works fine. Ports and src tree csup'd very recently. ssh does have
these issues with the same hosts.allow file.

Hosts reverse and forward dns matches



FreeBSD xx 8.0-STABLE FreeBSD 8.0-STABLE #0: Wed Jun  9 10:52:17 BST
2010 x:/usr/obj/usr/src/sys/DTRACE  amd64

# ls /etc/host*
/etc/host.conf/etc/hosts/etc/hosts.allow
/etc/hosts.equiv/etc/hosts.lpd


[root]# /usr/local/sbin/snmpd -v

NET-SNMP version:  5.5
Web:   http://www.net-snmp.org/
Email: net-snmp-cod...@lists.sourceforge.net

[root]# ls -l /usr/local/sbin/snmpd
-rwxr-xr-x  1 root  wheel  28880 Jun  9 12:30 /usr/local/sbin/snmpd
[root]# ldd /usr/local/sbin/snmpd
/usr/local/sbin/snmpd:
libnetsnmpagent.so.20 = /usr/local/lib/libnetsnmpagent.so.20
(0x80064c000)
libnetsnmphelpers.so.20 = /usr/local/lib/libnetsnmphelpers.so.20
(0x800793000)
libnetsnmpmibs.so.20 = /usr/local/lib/libnetsnmpmibs.so.20
(0x8008b7000)
libwrap.so.6 = /usr/lib/libwrap.so.6 (0x800abe000)
libperl.so = /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so
(0x800bc6000)
libcrypt.so.5 = /lib/libcrypt.so.5 (0x800dec000)
libutil.so.8 = /lib/libutil.so.8 (0x800f05000)
libnetsnmp.so.20 = /usr/local/lib/libnetsnmp.so.20 (0x801015000)
libm.so.5 = /lib/libm.so.5 (0x8011e3000)
libkvm.so.5 = /lib/libkvm.so.5 (0x801302000)
libdevstat.so.7 = /lib/libdevstat.so.7 (0x80140a000)
libcrypto.so.6 = /lib/libcrypto.so.6 (0x80150f000)
libelf.so.1 = /usr/lib/libelf.so.1 (0x8017a7000)
libc.so.7 = /lib/libc.so.7 (0x8018bf000)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: net-snmp 5.5 tcp wrappers broken

2010-06-09 Thread Andrea Venturoli 

On 06/09/10 17:12, krad wrote:

Has anyone one else this behaviour


Yep.




/etc/hosts.allow

ALL : X : allow
ALL : ALL : deny


snmpd: ALL : allow

works.





Googling around, it seems FreeBSD is not the only OS affected...



 bye
av.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Bug in tcp wrappers?

2009-03-12 Thread Chris St Denis 
I think I've found a bug in libwrap/tcpwrappers. Before filing an actual 
bug report I want to get some feedback here first.


A hosts.allow file with ~1000 ips on a single line(Haven't experimented 
with other quantities yet), causes network daemons that use libwrap stop 
accepting incoming network connections and use 100% cpu on an incoming 
connection.  This problem appeared because sshguard placed a large 
number of IPs in my hosts.allow file triggering this bug.


I've left the affected daemons for a long period of time (once about 8 
hours) and they don't seem to come back, so I think this is more than 
just it taking a while to loop through a 1000 item array of IPs



The production system that was affected is FreeBSD 7.0-32bit
Test system is FreeBSD 7.1-32bit

Example hosts.allow file (IPs are randomly generated for purposes of 
example)


   sshd : 112.110.123.63 113.11.2.126 113.11.8.6 113.19.19.22
   113.197.48.68 snipped 990+ IPs 116.48.108.244 116.48.11.19 : deny
   ALL : ALL : allow

top output of affected system. sshd wcpu slowly crawls up to 100% over 
about 30 seconds or so.


   crash# top
   last pid:   692;  load averages:  0.08,  0.04, 
   0.04up

   0+00:12:13  15:42:30
   24 processes:  2 running, 22 sleeping
   CPU: 49.7% user,  0.0% nice,  0.2% system,  0.2% interrupt, 49.9% idle
   Mem: 9304K Active, 6004K Inact, 21M Wired, 32K Cache, 10M Buf, 947M Free
   Swap: 1995M Total, 1995M Free

 PID USERNAME  THR PRI NICE   SIZERES STATE  C   TIME   WCPU
   COMMAND
 691 root1 1030  5760K  3660K CPU1   1   0:04 33.98% sshd
 672 root1   40  8436K  3888K sbwait 1   0:00  0.00% sshd
 677 cstdenis1  200  4460K  2288K pause  0   0:00  0.00% csh
 682 root1  200  5484K  2632K pause  0   0:00  0.00% csh
 675 cstdenis1  440  8436K  3896K select 0   0:00  0.00% sshd
   snip

A backtrace shows

   crash# gdb /usr/sbin/sshd 691
   GNU gdb 6.1.1 [FreeBSD]
   Copyright 2004 Free Software Foundation, Inc.
   GDB is free software, covered by the GNU General Public License, and
   you are
   welcome to change it and/or distribute copies of it under certain
   conditions.
   Type show copying to see the conditions.
   There is absolutely no warranty for GDB.  Type show warranty for
   details.
   This GDB was configured as i386-marcel-freebsd...
   Attaching to program: /usr/sbin/sshd, process 691
   Reading symbols from /usr/lib/libssh.so.4...done.
   Loaded symbols for /usr/lib/libssh.so.4
   Reading symbols from /lib/libutil.so.7...done.
   Loaded symbols for /lib/libutil.so.7
   Reading symbols from /lib/libz.so.4...done.
   Loaded symbols for /lib/libz.so.4
   Reading symbols from /usr/lib/libwrap.so.5...done.
   Loaded symbols for /usr/lib/libwrap.so.5
   snip other symbols for breviry
   Reading symbols from /libexec/ld-elf.so.1...done.
   Loaded symbols for /libexec/ld-elf.so.1
   0x28373225 in fgets (buf=0xbfbfe67b , n=1, fp=0x283b8040) at
   /usr/src/lib/libc/stdio/fgets.c:56
   56  {
   (gdb) bt
   #0  0x28373225 in fgets (buf=0xbfbfe67b , n=1, fp=0x283b8040) at
   /usr/src/lib/libc/stdio/fgets.c:56
   #1  0x281124ee in xgets (ptr=0xbfbfe67b , len=1, fp=0x283b8040) at
   /usr/src/lib/libwrap/../../contrib/tcp_wrappers/misc.c:38
   #2  0x28111410 in table_match (table=0x28112c5c /etc/hosts.allow,
   request=0xbfbfeb14)
   at
   /usr/src/lib/libwrap/../../contrib/tcp_wrappers/hosts_access.c:162
   #3  0x28111540 in hosts_access (request=0xbfbfeb14) at
   /usr/src/lib/libwrap/../../contrib/tcp_wrappers/hosts_access.c:132
   #4  0x08052b39 in main (ac=2, av=0xbfbfeecc) at
   /usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/sshd.c:1843
   (gdb) bt
   #0  0x28373225 in fgets (buf=0xbfbfe67b , n=1, fp=0x283b8040) at
   /usr/src/lib/libc/stdio/fgets.c:56
   #1  0x281124ee in xgets (ptr=0xbfbfe67b , len=1, fp=0x283b8040) at
   /usr/src/lib/libwrap/../../contrib/tcp_wrappers/misc.c:38
   #2  0x28111410 in table_match (table=0x28112c5c /etc/hosts.allow,
   request=0xbfbfeb14)
   at
   /usr/src/lib/libwrap/../../contrib/tcp_wrappers/hosts_access.c:162
   #3  0x28111540 in hosts_access (request=0xbfbfeb14) at
   /usr/src/lib/libwrap/../../contrib/tcp_wrappers/hosts_access.c:132
   #4  0x08052b39 in main (ac=2, av=0xbfbfeecc) at
   /usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/sshd.c:1843
   (gdb) q
   The program is running.  Quit anyway (and detach it)? (y or n) y
   Detaching from program: /usr/sbin/sshd, process 691


A few questions
1. Is this a known issue of any sort? I've done some searching on it, 
but haven't found anything of interest.
2. Should this be reported to FreeBSD bug tracker, or to libwrap (or 
both)? Basically, is FreeBSD's libwrap (more or less) in sync with the 
main one, or is it completely separate?



--
Chris St Denis
Programmer
SmarttNet (www.smartt.com)
Ph: 604-473-9700 Ext. 200

tcp wrappers

2008-01-07 Thread Jim Pazarena 
tcp wrappers does not seem to be compiled with the 'blacklist patch' 
which Wietse Venema provided

some years back.

I am curious if/why the implementor(s) within FreeBSD chose to ignore 
that useful patch?


Would someone please point out to me how/where I could re-compile tcpd 
to include

this patch? I am struggling trying to find the tcpd source on my system.

Thanks

Jim Pazarena

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: tcp wrappers

2008-01-07 Thread Vince 

Jim Pazarena wrote:
tcp wrappers does not seem to be compiled with the 'blacklist patch' 
which Wietse Venema provided

some years back.

I am curious if/why the implementor(s) within FreeBSD chose to ignore 
that useful patch?


Would someone please point out to me how/where I could re-compile tcpd 
to include

this patch? I am struggling trying to find the tcpd source on my system.

Umm I think we use /usr/src/contrib/tcp_wrappers, not idea about the 
lack of 'blacklist patch' though.

Should be a case of patching the source there then
cd /usr/src/libexec/tcpd
make  make install clean
Although presumably you need to recompile anything that uses libwrap not 
just tcpd.


Vince


Thanks

Jim Pazarena

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: tcp wrappers getaddrinfo

2003-11-22 Thread Antoine Jacoutot 
Selon Lowell Gilbert [EMAIL PROTECTED]:
 Have you modified the rule at line 23 of /etc/hosts.allow?
 Normally, it's 
 ALL : ALL : allow
 which as far as I recall, never does any hostname lookups at all.

No, I never touched this line.
this is why I'm asking some help.
Thanks.

Antoine
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: tcp wrappers getaddrinfo

2003-11-21 Thread Lowell Gilbert 
Antoine Jacoutot [EMAIL PROTECTED] writes:

 I get a lot of those warning messages in my logs.
 Is there any way I could tell inetd / tcp wrappers to turn those off ?
 
 inetd[93598]: warning: /etc/hosts.allow, line 23: can't verify hostname: 
 getaddrinfo(.imaginet.fr, AF_INET) failed
 
 I know what it means, the only thing I don't know how to achieve is to turn 
 this off :)

Have you modified the rule at line 23 of /etc/hosts.allow?
Normally, it's 
ALL : ALL : allow
which as far as I recall, never does any hostname lookups at all.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

tcp wrappers getaddrinfo

2003-11-20 Thread Antoine Jacoutot 
Hi :)

I get a lot of those warning messages in my logs.
Is there any way I could tell inetd / tcp wrappers to turn those off ?

inetd[93598]: warning: /etc/hosts.allow, line 23: can't verify hostname: 
getaddrinfo(.imaginet.fr, AF_INET) failed

I know what it means, the only thing I don't know how to achieve is to turn 
this off :)

Thanks in advance.

Antoine

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

tcp wrappers/twist

2003-03-16 Thread Jer 
Dear all

there used to be a way that one could use tcp wrappers and twist
so that if per say
you telnet'd to 127.0.0.1 telnetd would run
but if you telnet'd to 127.0.0.2 tcp_d would spawn another process
I forget the syntax for this

anyone know it??

thanks

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message

Re: tcp wrappers/twist

2003-03-16 Thread Daxbert 
Quoting Jer [EMAIL PROTECTED]:

 there used to be a way that one could use tcp wrappers and twist
 so that if per say
 
 you telnet'd to 127.0.0.1 telnetd would run
 but if you telnet'd to 127.0.0.2 tcp_d would spawn another process

Have you looked here:

man hosts_options
   look for twist.

and 

man 5 hosts_access
   for the proper expansion escapes.


--daxbert

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message