[syslog-ng]syslog-ng 1.6.4 and tcp_wrappers
Rule, Ted
syslog-ng@lists.balabit.hu
Fri, 16 Jul 2004 10:07:21 +0100
In /etc/hosts.allow you need something like this listing all the
permitted clients and denying anything else.
syslog-ng: 172.22.2.13: allow
syslog-ng: 172.18.112.3: allow
syslog-ng: ALL: deny
=20
It doesn't need any inetd configuration.
I don't believe it works for UDP, but I wouldn't lockout UDP syslog
traffic that way anyway; better to block it at the layer beneath with
ipchains/iptables/ipfilter or similar.
For extra resilience where a firewall separates the syslog-ng client and
server, I added some TCP Keepalive code to ensure a relatively quiet
syslog-ng TCP stream is always kept alive in the face of
Firewall-1/iptables idling out the connection, but it's not essential,
and it may even have been included in later releases anyway.
Ted
$ diff -u afinet.c-1.6.0rc3.orig afinet.c-1.6.0rc3.patched=20
--- afinet.c-1.6.0rc3.orig Sat Feb 28 11:42:50 2004
+++ afinet.c-1.6.0rc3.patched Sat Feb 28 11:42:50 2004
@@ -28,6 +28,8 @@
#include "cfgfile.h"
#include "pkt_buffer.h"
=20
+#include <sys/socket.h>
+#include <sys/types.h>
#include <errno.h>
#include <string.h>
#include <assert.h>
@@ -217,8 +219,13 @@
CAST(afinet_source, self, c);
struct afsocket_source_connection *conn;
UINT32 res;
+ int socklen,sockval;
+
+ socklen=3Dsizeof(sockval);
+ if ( ( getsockopt(client->super.fd, SOL_SOCKET, SO_TYPE,
&sockval, &socklen) =3D=3D 0 ) &&
+ (
sockval =3D=3D SOCK_STREAM ) ) {
#if ENABLE_TCP_WRAPPER
- {
+ {
struct request_info req;
=20
request_init(&req, RQ_DAEMON, "syslog-ng", RQ_FILE,
client->super.fd, 0);
@@ -230,9 +237,19 @@
close_fd(&client->super, 0);
return ST_OK | ST_GOON;
}
+ }
+#endif
+
+#ifdef SO_KEEPALIVE
+ sockval=3D1; socklen=3Dsizeof(sockval);
+ if ( setsockopt(client->super.fd, SOL_SOCKET, SO_KEEPALIVE,
&sockval, socklen) < 0 ) {
+ notice("setsockopt SO_KEEPALIVE failure during
do_open_afinet_connection()");
+ } else {
+ notice("setsockopt SO_KEEPALIVE Ok in
do_open_afinet_connection()");
}
- =20
#endif
+ }
+ =20
if (c->num_connections >=3D c->max_connections) {
CAST(inet_address_info, inet_addr, client_addr);
=20
@@ -250,8 +267,6 @@
}
return res;
}
-
-
}
=20
static int=20
@@ -488,6 +503,17 @@
=20
if (self->conn_fd) {
return ST_OK | ST_GOON;
+#ifdef SO_KEEPALIVE
+ if ( (self->super.flags & 0x0003) =3D=3D AFSOCKET_STREAM ) {
+ int sockval=3D1;
+
+ if ( setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE,
&sockval, sizeof(sockval)) < 0 ) {
+ notice("setsockopt SO_KEEPALIVE failure
during do_init_afinet_dest()");
+ } else {
+ notice("setsockopt SO_KEEPALIVE Ok in
do_init_afinet_dest()");
+ }
+ }
+#endif
}
else {
io_callout(self->cfg->backend,=20
$=20
Ted
***************************************************************************=
*********************
This E-mail message, including any attachments, is intended only for the pe=
rson
or entity to which it is addressed, and may contain confidential informatio=
n.
If you are not the intended recipient, any review, retransmission, disclosu=
re,
copying, modification or other use of this E-mail message or attachments is
strictly forbidden.
If you have received this E-mail message in error, please contact the autho=
r and
delete the message and any attachments from your computer.
You are also advised that the views and opinions expressed in this E-mail
message and any attachments are the author's own, and may not reflect the v=
iews
and opinions of FLEXTECH Television Limited.
***************************************************************************=
*********************