Bug 18570 - tcp_wrappers requires DNS
tcp_wrappers requires DNS
Status: CLOSED WORKSFORME
Product: Red Hat Linux
Classification: Retired
Component: tcp_wrappers (Show other bugs)
7.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Preston Brown
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-10-06 16:55 EDT by Need Real Name
Modified: 2007-04-18 12:29 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-09 11:44:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2000-10-06 16:55:51 EDT
If ALL:ALL is placed in the hosts.deny and specific exceptions are added
into the hosts.allow, working DNS is required to successfully connect to
any service.  The settings in the nsswitch.conf do not seem to affect this
problem (i.e. I tried setting hosts to just "files" and it didn't use the
/etc/hosts file for authentication).

This is new behavior... 6.2 and 7.0beta did not work this way.  This has
happened on two different machines, one a 6.2 and one a 7.0beta, after
upgrading.  Both computers use the i386 architecture.

Possible reason: tcp_wrappers is now being compiled with -DPARANOID which
will always refuse connections which can't be resolved forwards and
backwards.  This combined with the fact tcp_wrappers sends DNS queries
directly instead of using /etc/nsswitch.conf causes my laptop to refuse all
connections when plugged into my home network and my desktop to refuse all
connections when not dialed into my ISP.
Comment 1 Need Real Name 2000-10-06 17:12:41 EDT
Two things I forgot to mention:

1) I'm not using hostnames in the hosts.allow, just IPs (like 127.0.0.1
10.0.0.0/255.0.0.0)
2) The functionality of -DPARANOID can be obtained without compiling with it
on... just use PARANOID as a wildcard... so compiling without it is more
flexible.
Comment 2 Need Real Name 2000-10-09 11:44:11 EDT
Nevermind!  It looks like I was just confused.  After fixing the hosts.allow to
use the proper names for the daemons (I was using the service names), it works
wonderfully.  I looked at the patches that had been added to tcp_wrappers in 7.0
and none of them looked like they should have affected this.

Now the only question is how it worked before...

Sorry for wasting your time.

(BTW: bugzilla is really nice)

Note You need to log in before you can comment on or make changes to this bug.