On Wed, May 21, 2003 at 11:27:04AM -0500, Mike Thomas wrote:
Hello,
I recently discovered the wonders and joys of syslog-ng, and have been attempting to get tcp wrapper support to work, and unfortunately, to no avail.
What I am experiencing is simply it is not working, I wish I could provide a more descriptive and detailed 'error', but it just simply won't block denied hosts.
Here's the relevent output from ./configure, etc.
./configure --prefix=/usr --enable-tcp-wrapper
checking for tcpd.h... yes checking for TCP wrapper library... -lwrap checking whether to enable Sun STREAMS support... no checking whether to enable Sun door support... no checking whether to enable TCP wrapper support... yes
As you can see, tcp wrapper support was sucessfully compiled in. I did not have any issues/warnings/errors while compiling. Everything looked good on that end.
Here's the relevant entries from /etc/hosts.allow (I don't use hosts.deny, all my entries are in hosts.allow, both deny and allow)
syslog-ng: draco.cems.umn.edu, centaurus.cems.umn.edu, lupus.cems.umn.edu, cygnus.cems.umn.edu, orion.cems.umn.edu, gemini.cems.umn.edu, crux.cems.umn.edu, mozart.cems.umn.edu, : ALLOW
syslogng: draco.cems.umn.edu, centaurus.cems.umn.edu, lupus.cems.umn.edu, cygnus.cems.umn.edu, orion.cems.umn.edu, gemini.cems.umn.edu, crux.cems.umn.edu, mozart.cems.umn.edu : ALLOW
#deny *EVERYTHING* else
ALL : ALL : DENY
I've used tcpdmatch to verify that the rules are being examined and caught in the right fashion and, they are. Here's the output of tcpdmatch for instance:
loki:root(~/syslog-ng/syslog-ng-1.6.0rc3)# tcpdmatch syslog-ng oberlin.cems.umn.edu
warning: syslog-ng: no such process name in /etc/inetd.conf client: hostname oberlin.cems.umn.edu client: address 134.84.165.104 server: process syslog-ng matched: /etc/hosts.allow line 25 option: DENY access: denied
Line 25 is the ALL: ALL : DENY
loki:root(~/syslog-ng/syslog-ng-1.6.0rc3)# tcpdmatch syslog-ng mozart.cems.umn.edu warning: syslog-ng: no such process name in /etc/inetd.conf client: hostname mozart.cems.umn.edu client: address 134.84.164.249 server: process syslog-ng matched: /etc/hosts.allow line 20 option: ALLOW access: granted
Line 20 is the syslog-ng: etc... line
I have also used strace and truss on the syslog-ng binary and discovered that it is sucessfully making a call to the libwrap library, but it doesn't read hosts.allow/hosts.deny (I'm not sure if its supposed to or not).
As far as how I have syslog-ng setup, I have it running on the default udp port, 514, bound to a specific ip which is not the main ip of the machine, but setup as a virtual interface, in linux it would be known as eth0:0, BSD just regards it as a second ip. Syslog-ng itself functions perfectly, accepting remote connections and the whole nine yards, it just simply refuses to work with tcp wrappers.
The TCP wrapper code has been contributed and I do not use it myself. Checking the source it seems that it is applied to TCP based connections only. I don't know however how it would behave if it would be applied to each incoming UDP packet (as they might each have a different source IP), though the results could be cached, but there's no such code in place. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1