The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Tcpwrapper 7.6 - feature -


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Sat, 19 Sep 1998 18:41:47 +0200
From: Gigi Sullivan <sullivan@SECLAB.COM>
To: BUGTRAQ@netspace.org
Subject: Tcpwrapper 7.6 - feature -

Hello there :)

Well, all we know tcpwrapper (W. Venema) and all its features.
I wrote a very small stuff that could be usefull (I hope) to those of you
that are using tcpwrapper, but that doesn't run any kinda of firewall.
This "new" feature allow you to force the TCP layer to elict an RST
segment to drop a denyed connection (instead of the usual 4-"FIN"
segment).

All you have to do is to add in your /etc/hosts.deny file a line like the
follow one:

daemon_list : client_list : rst

This shouldn't lead to data corruption (as said in RFC 1337) and could
"simulate" some simple firewall actions, imho.

For those who are interested here is the options.c diff file.
(If no one is interested, just drop this msg. Sorry :))
Tcpwrapper version 7.6

*** options.orig        Sat Sep 19 18:12:15 1998
--- options.c   Sat Sep 19 18:16:42 1998
***************
*** 85,90 ****
--- 85,91 ----
  static void allow_option();           /* execute "allow" option */
  static void deny_option();            /* execute "deny" option */
  static void banners_option();         /* execute "banners path" option */
+ static void rst_option();             /* force the TCP layer to elict an RST segment */

  /* Structure of the options table. */

***************
*** 122,127 ****
--- 123,129 ----
      "allow", allow_option, USE_LAST,
      "deny", deny_option, USE_LAST,
      "banners", banners_option, NEED_ARG,
+     "rst", rst_option, 0,
      0,
  };

***************
*** 331,336 ****
--- 333,356 ----
            tcpd_warn("setsockopt SO_LINGER %d: %m", linger.l_linger);
      }
  }
+
+ /* rst_option - The TCP layer will elict an RST instead of FIN segments */
+ /* Lorenzo Cavallaro <sullivan@seclab.com> ... just FYI :) */
+
+ static void rst_option(value, request)
+ char *value;
+ struct request_info *request;
+ {
+     struct linger linger;
+
+     linger.l_onoff = 1;
+     linger.l_linger = 0;
+     if (dry_run == 0) {
+         if (setsockopt(request->fd, SOL_SOCKET, SO_LINGER, (char *) &linger,
+                        sizeof(linger)) < 0)
+             tcpd_warn("setsockopt SO_LINGER (RST): %m");
+     }
+ }

  /* keepalive_option - set the socket keepalive option */


Bye bye


                        -- gg sullivan


--
Lorenzo Cavallaro
Intesis SECURITY LAB            Phone: +39-2-671563.1
Via Settembrini, 35             Fax: +39-2-66981953
I-20124 Milano  ITALY           Email: sullivan@seclab.com

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру