SINNER wrote:

> I have leafnode running on my Ubuntu 6.06 LTS box and I have several
> Virtual Machines that I boot up to play with occasionally.
>
> Per the initial setup for leafnode, in /etc/hosts.allow I have:
>
> leafnode: 127.0.0.1
>
> If I change the above to
>
> leafnode: ALL
>
> The VM can attach to the leafnode server via telnet. I have tried:
>
> leafnode: 127.0.0.1, xxx.xxx.xxx.xxx
>
try dropping the comma and make the line look like this ...

leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW

to be safe, if you haven't, end with ...

leafnode: ALL: DENY

Cheers.


> and
>
> leafnode: 127.0.0.1
> leafnode: xxx.xxx.xxx.xxx
>
> where the xxx is another local IP address on the network, and neither of
> the above allow the other machine to connect.
>
> The man pages were a little to cryptic apparently to give me the clue I
> needed so any hints would be appreciated.
>

--

Proprietary Software: a 20th Century software business model.
Intelligent and helpful Windoze error messages: http://tinyurl.com/2ks5dz

* NoStop wrote in alt.os.linux.ubuntu:

[...]

>> leafnode: 127.0.0.1, xxx.xxx.xxx.xxx

> try dropping the comma and make the line look like this ...

> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW

> to be safe, if you haven't, end with ...

> leafnode: ALL: DENY

On the same line or beneath it:

1:
leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW leafnode: ALL: DENY

or

2:
leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW
leafnode: ALL: DENY

--
David
The Usenet Improvement Project: http://blinkynet.net/comp/uip5.html

Hegel was right when he said that we learn from history that man
can never learn anything from history. -George Bernard Shaw

* SINNER wrote in alt.os.linux.ubuntu:
> * NoStop wrote in alt.os.linux.ubuntu:

> [...]

>>> leafnode: 127.0.0.1, xxx.xxx.xxx.xxx

>> try dropping the comma and make the line look like this ...

>> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW

>> to be safe, if you haven't, end with ...

>> leafnode: ALL: DENY

> On the same line or beneath it:

> 1:
> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW leafnode: ALL: DENY

> or

> 2:
> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW

Tried the above and left out the below deny. No Joy.

> leafnode: ALL: DENY

--
David
The Usenet Improvement Project: http://blinkynet.net/comp/uip5.html

Use only as directed.

SINNER wrote:

> * SINNER wrote in alt.os.linux.ubuntu:
>> * NoStop wrote in alt.os.linux.ubuntu:
>
>> [...]
>
>>>> leafnode: 127.0.0.1, xxx.xxx.xxx.xxx
>
>>> try dropping the comma and make the line look like this ...
>
>>> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW
>
>>> to be safe, if you haven't, end with ...
>
>>> leafnode: ALL: DENY
>
>> On the same line or beneath it:
>
>> 1:
>> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW leafnode: ALL: DENY
>
>> or
>
>> 2:
>> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW
>
> Tried the above and left out the below deny. No Joy.
>
>> leafnode: ALL: DENY
>
Sorry to ask the obvious, but you don't have a software firewall running by
any chance?

Since I don't run leafnode, I don't know whether it requires inetd to use
the tcpwrapper? If it does, have you restarted that daemon after making
changes to the hosts.allow file?

Cheers.

--

Proprietary Software: a 20th Century software business model.
Intelligent and helpful Windoze error messages: http://tinyurl.com/2ks5dz

NoStop wrote:

> SINNER wrote:
>
>> * SINNER wrote in alt.os.linux.ubuntu:
>>> * NoStop wrote in alt.os.linux.ubuntu:
>>
>>> [...]
>>
>>>>> leafnode: 127.0.0.1, xxx.xxx.xxx.xxx
>>
>>>> try dropping the comma and make the line look like this ...
>>
>>>> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW
>>
>>>> to be safe, if you haven't, end with ...
>>
>>>> leafnode: ALL: DENY
>>
>>> On the same line or beneath it:
>>
>>> 1:
>>> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW leafnode: ALL: DENY
>>
>>> or
>>
>>> 2:
>>> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW
>>
>> Tried the above and left out the below deny. No Joy.
>>
>>> leafnode: ALL: DENY
>>
> Sorry to ask the obvious, but you don't have a software firewall running
> by any chance?
>
> Since I don't run leafnode, I don't know whether it requires inetd to use
> the tcpwrapper? If it does, have you restarted that daemon after making
> changes to the hosts.allow file?
>
> Cheers.
>
Dave,

Also, a little digging showed me that if you're going to use inetd then you
need to add to the inetd.conf file:

" Leafnode may be configured to use inetd by adding an entry to
the /etc/inetd.conf file with the following command:

echo "nntp stream tcp nowait news /usr/sbin/tcpd /usr/sbin/leafnode" \
>> /etc/inetd.conf

Issue a killall -HUP inetd to reread the changed inetd.conf file. "

Or you can use xinetd instead of inetd. Read more here ...

http://www.linuxfromscratch.org/blfs.../leafnode.html

Cheers.

--

Proprietary Software: a 20th Century software business model.
Intelligent and helpful Windoze error messages: http://tinyurl.com/2ks5dz

* NoStop wrote in alt.os.linux.ubuntu:
> SINNER wrote:

>> * SINNER wrote in alt.os.linux.ubuntu:
>>> * NoStop wrote in alt.os.linux.ubuntu:

>>> [...]

>>>>> leafnode: 127.0.0.1, xxx.xxx.xxx.xxx

>>>> try dropping the comma and make the line look like this ...

>>>> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW

>>>> to be safe, if you haven't, end with ...

>>>> leafnode: ALL: DENY

>>> On the same line or beneath it:

>>> 1:
>>> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW leafnode: ALL: DENY

>>> or

>>> 2:
>>> leafnode: 127.0.0.1 xxx.xxx.xxx.xxx: ALLOW

>> Tried the above and left out the below deny. No Joy.

>>> leafnode: ALL: DENY

> Sorry to ask the obvious, but you don't have a software firewall running by
> any chance?

Nope.

> Since I don't run leafnode, I don't know whether it requires inetd to use
> the tcpwrapper? If it does, have you restarted that daemon after making
> changes to the hosts.allow file?

I believe inetd is configured properly as a change to hosts.allow to:

leafnode: ALL

resolves the issue, no restart required, the change is immediate.

--
David
The Usenet Improvement Project: http://blinkynet.net/comp/uip5.html

Immortality -- a fate worse than death.
-- Edgar A. Shoaff

* NoStop wrote in alt.os.linux.ubuntu:

[...]

> Dave,

> Also, a little digging showed me that if you're going to use inetd then you
> need to add to the inetd.conf file:

> " Leafnode may be configured to use inetd by adding an entry to
> the /etc/inetd.conf file with the following command:

> echo "nntp stream tcp nowait news /usr/sbin/tcpd /usr/sbin/leafnode" \
>>> /etc/inetd.conf

Yeah, been using leafnode for a long time so:

[09:54 PM][J:0][sinner@~]$ cat /etc/inetd.conf | grep nntp
nntp stream tcp nowait news /usr/sbin/tcpd /usr/local/sbin/leafnode

Under Mandr* I used xinetd but Ubuntu didnt have any services installed
so I went by the doc and used inetd instead.

--
David
The Usenet Improvement Project: http://blinkynet.net/comp/uip5.html

What I tell you three times is true.
-- Lewis Carroll

SINNER wrote:

> * NoStop wrote in alt.os.linux.ubuntu:
>
> [...]
>
>> Dave,
>
>> Also, a little digging showed me that if you're going to use inetd then
>> you need to add to the inetd.conf file:
>
>> " Leafnode may be configured to use inetd by adding an entry to
>> the /etc/inetd.conf file with the following command:
>
>> echo "nntp stream tcp nowait news /usr/sbin/tcpd /usr/sbin/leafnode" \
>>>> /etc/inetd.conf
>
> Yeah, been using leafnode for a long time so:
>
> [09:54 PM][J:0][sinner@~]$ cat /etc/inetd.conf | grep nntp
> nntp stream tcp nowait news /usr/sbin/tcpd
> /usr/local/sbin/leafnode
>
> Under Mandr* I used xinetd but Ubuntu didnt have any services installed
> so I went by the doc and used inetd instead.
>
From everything you've said, the damn thing should work. Did you say you
were running in a VM? Maybe there's something there that needs tweaking?
Possible the VM after it gets passed through its host is reporting a
different IP address?

Cheers.

--

Proprietary Software: a 20th Century software business model.
Intelligent and helpful Windoze error messages: http://tinyurl.com/2ks5dz

* NoStop wrote in alt.os.linux.ubuntu:
> SINNER wrote:

>> * NoStop wrote in alt.os.linux.ubuntu:

>> [...]

>>> Dave,

>>> Also, a little digging showed me that if you're going to use inetd then
>>> you need to add to the inetd.conf file:

>>> " Leafnode may be configured to use inetd by adding an entry to
>>> the /etc/inetd.conf file with the following command:

>>> echo "nntp stream tcp nowait news /usr/sbin/tcpd /usr/sbin/leafnode" \
>>>>> /etc/inetd.conf

>> Yeah, been using leafnode for a long time so:

>> [09:54 PM][J:0][sinner@~]$ cat /etc/inetd.conf | grep nntp
>> nntp stream tcp nowait news /usr/sbin/tcpd
>> /usr/local/sbin/leafnode

>> Under Mandr* I used xinetd but Ubuntu didnt have any services installed
>> so I went by the doc and used inetd instead.

> From everything you've said, the damn thing should work.

Funny, that's what I was thinking

> Did you say you
> were running in a VM?

I have a Debian testing VM running on top of Ubuntu 6.06 LTS.

> Maybe there's something there that needs tweaking?
> Possible the VM after it gets passed through its host is reporting a
> different IP address?

I will do some more searching, thanks NoStop!

--
David
The Usenet Improvement Project: http://blinkynet.net/comp/uip5.html

I have gained this by philosophy:
that I do without being commanded what others do only from fear of the law.
-- Aristotle

On Tue, 04 Sep 2007 00:10:05 GMT, SINNER wrote:
> I have leafnode running on my Ubuntu 6.06 LTS box and I have several
> Virtual Machines that I boot up to play with occasionally.
>
> Per the initial setup for leafnode, in /etc/hosts.allow I have:
>
> leafnode: 127.0.0.1
>
> If I change the above to
>
> leafnode: ALL
>
> The VM can attach to the leafnode server via telnet. I have tried:
>
> leafnode: 127.0.0.1, xxx.xxx.xxx.xxx
>
> and
>
> leafnode: 127.0.0.1
> leafnode: xxx.xxx.xxx.xxx
>
> where the xxx is another local IP address on the network, and neither of
> the above allow the other machine to connect.
>
> The man pages were a little to cryptic apparently to give me the clue I
> needed so any hints would be appreciated.

For your hosts.allow, you might consider something like these examples.

portmap: LOCAL, .home.invalid, 192.168.2.30
ALL: LOCAL, .home.invalid

# End of hosts.allow.

LOCAL replaces your 127.0.0.1, and .home.invalid means everyone in the
.home.invalid domain.

------------------

I find that this /etc/hosts.deny helps. It mails root a message on
denied attempts. Example, when I tried to enable ftpd in .allowed,
I received a email indicating in.ftpd was denied. So I changed ftpd:
to in.ftpd: and all was better.

$ cat /etc/hosts.deny

ALL: ALL:\
spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s \"$(uname -n)\" root ) & : DENY

#*********************** end host.deny ********************************

On Tue, 04 Sep 2007 03:00:05 GMT SINNER
<99nesorjd@gates_of_hell.invalid> wrote:

> I believe inetd is configured properly as a change to hosts.allow to:

> leafnode: ALL

> resolves the issue, no restart required, the change is immediate.

Is there any chance that it wants your LAN IP rather than 127.0.0.1?

--
Little Girl

There is no spoon.

* Bit Twister wrote in alt.os.linux.ubuntu:
> On Tue, 04 Sep 2007 00:10:05 GMT, SINNER wrote:
>> I have leafnode running on my Ubuntu 6.06 LTS box and I have several
>> Virtual Machines that I boot up to play with occasionally.

>> Per the initial setup for leafnode, in /etc/hosts.allow I have:

>> leafnode: 127.0.0.1

>> If I change the above to

>> leafnode: ALL

>> The VM can attach to the leafnode server via telnet. I have tried:

>> leafnode: 127.0.0.1, xxx.xxx.xxx.xxx

>> and

>> leafnode: 127.0.0.1
>> leafnode: xxx.xxx.xxx.xxx

>> where the xxx is another local IP address on the network, and neither of
>> the above allow the other machine to connect.

>> The man pages were a little to cryptic apparently to give me the clue I
>> needed so any hints would be appreciated.

> For your hosts.allow, you might consider something like these examples.

> portmap: LOCAL, .home.invalid, 192.168.2.30
> ALL: LOCAL, .home.invalid

> # End of hosts.allow.

What does 'portmap:' signify?

> LOCAL replaces your 127.0.0.1, and .home.invalid means everyone in the
> .home.invalid domain.

> ------------------

> I find that this /etc/hosts.deny helps. It mails root a message on
> denied attempts. Example, when I tried to enable ftpd in .allowed,
> I received a email indicating in.ftpd was denied. So I changed ftpd:
> to in.ftpd: and all was better.

> $ cat /etc/hosts.deny

> ALL: ALL:\
> spawn ( \
> /bin/echo -e "\n\
> TCP Wrappers\: Connection Refused\n\
> By\: $(uname -n)\n\
> Process\: %d (pid %p)\n\
> \n\
> User\: %u\n\
> Host\: %c\n\
> Date\: $(date)\n\
> " | /bin/mail -s \"$(uname -n)\" root ) & : DENY

> #*********************** end host.deny ********************************


Whoa! a 'Bit' beyond my meager needs OR understanding, but thanks BT.
--
David
The Usenet Improvement Project: http://blinkynet.net/comp/uip5.html

It was a brave man that ate the first oyster.

* Little Girl wrote in alt.os.linux.ubuntu:
> On Tue, 04 Sep 2007 03:00:05 GMT SINNER
> <99nesorjd@gates_of_hell.invalid> wrote:

>> I believe inetd is configured properly as a change to hosts.allow to:

>> leafnode: ALL

>> resolves the issue, no restart required, the change is immediate.

> Is there any chance that it wants your LAN IP rather than 127.0.0.1?

either is fine and both of those work, my issue is getting a NON local
machine to attach. I only want to let machines on my internal network to
be able to connect.

--
David
The Usenet Improvement Project: http://blinkynet.net/comp/uip5.html

Fortune finishes the great quotations, #6

"But, soft! What light through yonder window breaks?"
It's nothing, honey. Go back to sleep.

On Wed, 05 Sep 2007 01:20:03 GMT, SINNER wrote:

>> portmap: LOCAL, .home.invalid, 192.168.2.30
>> ALL: LOCAL, .home.invalid
>
>> # End of hosts.allow.
>
> What does 'portmap:' signify?

Thought you read the man page on hosts.allow.

portmap is the daemon/serice which is allowed on the LOCAL machine, or
any machine in the .home.invalid domain or host 192.168.2.30



>
>> $ cat /etc/hosts.deny
>
>> ALL: ALL:\
>> spawn ( \
>> /bin/echo -e "\n\
>> TCP Wrappers\: Connection Refused\n\
>> By\: $(uname -n)\n\
>> Process\: %d (pid %p)\n\
>> \n\
>> User\: %u\n\
>> Host\: %c\n\
>> Date\: $(date)\n\
>> " | /bin/mail -s \"$(uname -n)\" root ) & : DENY
>
>> #*********************** end host.deny ********************************
>
>
> Whoa! a 'Bit' beyond my meager needs OR understanding, but thanks BT.

All it does is mail root an email with the indicated fields with the
actual data and deny the serice access.
Example email message from the hosts.deny script.

from root@wb.home.invalid

TCP Wrappers: Connection Refused
By: wb.home.invalid
Process: ipop3d (pid 7787) <===== see, ipop3d deamon/sevice was
refused by hosts.deny
User: unknown
Host: 192.168.1.30
Date: Tue Sep 4 20:32:40 CDT 2007

On Wed, 05 Sep 2007 01:20:05 GMT SINNER
<99nesorjd@gates_of_hell.invalid> wrote:

> * Little Girl wrote in alt.os.linux.ubuntu:
> > On Tue, 04 Sep 2007 03:00:05 GMT SINNER
> > <99nesorjd@gates_of_hell.invalid> wrote:

> >> I believe inetd is configured properly as a change to hosts.allow
> >> to:

> >> leafnode: ALL

> >> resolves the issue, no restart required, the change is immediate.

> > Is there any chance that it wants your LAN IP rather than 127.0.0.1?

> either is fine and both of those work, my issue is getting a NON local
> machine to attach. I only want to let machines on my internal network
> to be able to connect.

I'm completely baffled why leafnode: ALL will work when putting in the
IP won't. This one's a puzzle. I'm not sure if it will help, but this
is how my files look for use with NFS on our internal network. I added
the comments so the numbers will make sense:

little@MOMS-COMPUTER:~$ cat /etc/hosts.allow
# myIP myson'sIP
portmap: 192.168.1.101 192.168.1.102
lockd: 192.168.1.101 192.168.1.102
rquotad: 192.168.1.101 192.168.1.102
mountd: 192.168.1.101 192.168.1.102
statd: 192.168.1.101 192.168.1.102
nfsd: 192.168.1.101 192.168.1.102

little@MOMS-COMPUTER:~$ cat /etc/hosts.deny
portmap mountd nfsd statd lockd rquotad: ALL
little@MOMS-COMPUTER:~$

little@MOMS-COMPUTER:~$ cat /etc/exports
# mypath myson'sIP(rw,no_root_ssquash,async)
/home/little 192.168.1.102(rw,no_root_squash,async)

little@MOMS-COMPUTER:~$ cat /etc/network/interfaces
auto lo
iface lo inet loopback
address 127.0.0.1
netmask 255.0.0.0

auto eth0
iface eth0 inet static
address 192.168.1.101
netmask 255.255.255.0
gateway 192.168.1.1

--
Little Girl

There is no spoon.

On Fri, 7 Sep 2007 22:31:08 -0400, Little Girl wrote:
>
> I'm completely baffled why leafnode: ALL will work when putting in the
> IP won't. This one's a puzzle. I'm not sure if it will help, but this
> is how my files look for use with NFS on our internal network. I added
> the comments so the numbers will make sense:
>
> little@MOMS-COMPUTER:~$ cat /etc/hosts.allow
> # myIP myson'sIP
> portmap: 192.168.1.101 192.168.1.102
> lockd: 192.168.1.101 192.168.1.102
> rquotad: 192.168.1.101 192.168.1.102
> mountd: 192.168.1.101 192.168.1.102
> statd: 192.168.1.101 192.168.1.102
> nfsd: 192.168.1.101 192.168.1.102
>
> little@MOMS-COMPUTER:~$ cat /etc/hosts.deny
> portmap mountd nfsd statd lockd rquotad: ALL
> little@MOMS-COMPUTER:~$

If you are trying to secure your systems, my recommendation is to put
ALL: All in /etc/hosts.deny.

Why you ask, do a /man hosts.deny/ and read the ACCESS CONTROL FILES
section.

I find it helps to have hosts.deny set with this script.
ALL: ALL:\
spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
" | /bin/mail -s \"$(uname -n)\" root ) & : DENY

#*********************** end host.deny ********************************

That way, when hosts.allow does not allow a deamon/service access,
hosts.deny will block and mail root information about what was blocked.
Helps when debugging hosts.allow and gives you a heads up when
something is caught trying to run.

Here is a resulting mail message;
TCP Wrappers: Connection Refused
By: wb.home.invalid
Process: ipop3d (pid 14491)

User: unknown
Host: 192.168.1.30
Date: Sat Sep 8 04:40:04 CDT 2007

because I commented out the ALL: line in my hosts.allow to generate a deny.

Snippet from my normal host.allow:

ALL: LOCAL, .home.invalid

#*********************** end host.allow ********************************

Looking in /var/log/messages we find
Sep 8 04:40:04 wb xinetd[14491]: libwrap refused connection to
pop3 (libwrap=ipop3d) from 192.168.1.30
I have no idea if (k)ubuntu creates a messages entry.

On Sat, 08 Sep 2007 09:56:40 GMT Bit Twister
wrote:

> On Fri, 7 Sep 2007 22:31:08 -0400, Little Girl wrote:

> > little@MOMS-COMPUTER:~$ cat /etc/hosts.deny
> > portmap mountd nfsd statd lockd rquotad: ALL
> > little@MOMS-COMPUTER:~$

> If you are trying to secure your systems, my recommendation is to put
> ALL: All in /etc/hosts.deny.

> Why you ask, do a /man hosts.deny/ and read the ACCESS CONTROL FILES
> section.

Thanks. It looks like I need to edit my Idiots' Guide To NFS page with
this info (although I might leave the script out for the page). (:

> I find it helps to have hosts.deny set with this script.
> ALL: ALL:\
> spawn ( \
> /bin/echo -e "\n\
> TCP Wrappers\: Connection Refused\n\
> By\: $(uname -n)\n\
> Process\: %d (pid %p)\n\
> \n\
> User\: %u\n\
> Host\: %c\n\
> Date\: $(date)\n\
> " | /bin/mail -s \"$(uname -n)\" root ) & : DENY

Snagged! Very nice. (:



> Looking in /var/log/messages we find
> Sep 8 04:40:04 wb xinetd[14491]: libwrap refused connection to
> pop3 (libwrap=ipop3d) from
> 192.168.1.30 I have no idea if (k)ubuntu creates a messages entry.

I'll let you know if I get any. I don't see why it wouldn't, though.

--
Little Girl

There is no spoon.