What''s the relationship between /tcp_wrappers/ and /iptables/?
The FW''s "/etc/hosts.allow" contains a line like:
ALL : localhost
I make no mention of either "localhost" or "127.0.0.1" in
any of the
/shorewall/ config files.
When I execute "% ssh localhost" on my FW, there is no connection.
Looking in /var/log/secure, I see:
sshd[18637]: refused connect from localhost.localdomain (127.0.0.1)
Yet I see no /iptable/ entry in /var/log/messages. Shouldn''t there be?
Thanks for any clarification of the interaction between "wrappers" and
/iptables/ ...
-Kenneth
On 25 Jun 2002, Kenneth Jacker wrote:> What''s the relationship between /tcp_wrappers/ and /iptables/? >No relationship whatsoever. Shorewall controls traffic into, out of and through the firewall. The tcp_wrappers controls who may use certain inetd services.> The FW''s "/etc/hosts.allow" contains a line like: > > ALL : localhost > > I make no mention of either "localhost" or "127.0.0.1" in any of the > /shorewall/ config files. >Nor should you.> When I execute "% ssh localhost" on my FW, there is no connection. > Looking in /var/log/secure, I see: > > sshd[18637]: refused connect from localhost.localdomain (127.0.0.1) >Are you defining sshd to inetd? Most sshd installations run sshd as a daemon and the message you are seeing looks like it came from sshd itself and not from tcpd.> Yet I see no /iptable/ entry in /var/log/messages. Shouldn''t there be? >No. Shorewall doesn''t attempt to control connections from the firewall to itself. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> On 25 Jun 2002, Kenneth Jacker wrote: > > > What''s the relationship between /tcp_wrappers/ and /iptables/? > > > > No relationship whatsoever. Shorewall controls traffic into, out of and > through the firewall. The tcp_wrappers controls who may use certain inetd > services.tcp_wrappers is not just for inetd services. Any application (like sshd) can use it via libwrap to provide ACLs for its service(s).> ... > > When I execute "% ssh localhost" on my FW, there is no connection. > > Looking in /var/log/secure, I see: > > > > sshd[18637]: refused connect from localhost.localdomain (127.0.0.1)Try adding sshd: ALL to your /etc/hosts.allow file. If you''re seeing that message, the refusal is likely from tcp_wrappers. Paul http://paulgear.webhop.net
On Wed, 26 Jun 2002, Paul Gear wrote:> > tcp_wrappers is not just for inetd services. Any application (like sshd) can use > it via libwrap to provide ACLs for its service(s). >I stand corrected -- Thanks -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net