From: Chuck Foster To: djb-qmail@koobera.math.uic.edu Subject: deny-paranoid tests Date: Sat, 27 Sep 1997 11:04:45 +0100 (BST) Hi ho, Well leading on from my tcpserver TCPPARANOID patch yesterday I added in support for it in tcpcontrol last night and then tested it on my listproc host. Got my first catch this morning: 875330099.576869 tcpcontrol: deny-paranoid 10351 solpipe.pipex.net:158.43.128.25 :25 :198.81.11.58::1899 198.81.11.58 -> mb08.mx.aol.com -> 198.81.11.57 Tut tut tut :-) The new patch effectively replaces the old patch for tcpcontrol I made a few weeks back (this had a minor bug in it with the hostname getting called when there wasn't a hostname ("") but it didn't break the actual tcpcontrol operatio). I've added in tcpcontrol options, handled in the TCPCONTROL environment variable similar to qmail-inject's QMAILINJECT approach - no variable means that tcpcontrol behaves as documented. TCPCONTROL has: r do TCPREMOTEHOST lookups in the cdb file p if TCPPARANOID set, deny the connection h if TCPREMOTEHOST is not set, deny the connection I deemed these checks useful in authenticating hosts connecting to that service, ie. if the machine isn't properly registered in the DNS (untrusted?) then don't let it communicate with you. I chose deny- as a prefix as it seemed like a useful extension idea - this may break some accounting tools if they look at the whole string though. Thoughts: log the TCPPARANOID string; add ok-paranoid warning mode. Usual disclaimer: feel free to use it, but I am not responsible for any mishap/disaster to your system that it may cause. C. --------- *** tcpcontrol.c 1997/09/05 23:10:07 1.1 --- tcpcontrol.c 1997/09/26 17:38:32 *************** *** 40,46 **** char *tcpremoteport; char *tcpremoteinfo; /* could be 0 */ ! int flagdeny = 0; char *report; unsigned int reportlen; --- 40,50 ---- char *tcpremoteport; char *tcpremoteinfo; /* could be 0 */ ! int flagneedtcpremotehost = 0; /* should we have a tcpremotehost */ ! int flagchecktcpremotehost = 0; /* should we check for host matching */ ! int flagblockparanoid = 0; /* should we deny access if paranoid */ ! ! char *flagdeny = (char *)0; char *report; unsigned int reportlen; *************** *** 73,79 **** unsigned int i; len = 0; i = fmt_str(s,"tcpcontrol: "); if (s) s += i; len += i; ! i = fmt_str(s,flagdeny ? "deny " : "ok "); if (s) s += i; len += i; i = fmt_ulong(s,(unsigned long) getpid()); if (s) s += i; len += i; i = fmt_str(s," "); if (s) s += i; len += i; i = fmtsafe(s,tcplocalhost); if (s) s += i; len += i; --- 77,84 ---- unsigned int i; len = 0; i = fmt_str(s,"tcpcontrol: "); if (s) s += i; len += i; ! i = fmt_str(s,flagdeny ? flagdeny : "ok"); if (s) s += i; len += i; ! i = fmt_str(s," "); if (s) s += i; len += i; i = fmt_ulong(s,(unsigned long) getpid()); if (s) s += i; len += i; i = fmt_str(s," "); if (s) s += i; len += i; i = fmtsafe(s,tcplocalhost); if (s) s += i; len += i; *************** *** 115,121 **** while ((next0 = byte_chr(data,datalen,0)) < datalen) { switch(data[0]) { case 'D': ! flagdeny = 1; break; case '+': if (!env_put(data + 1)) die_nomem(); --- 120,126 ---- while ((next0 = byte_chr(data,datalen,0)) < datalen) { switch(data[0]) { case 'D': ! flagdeny = "deny"; break; case '+': if (!env_put(data + 1)) die_nomem(); *************** *** 152,157 **** --- 157,170 ---- if (tcpremoteip[--i] == '.') if (findrule(tcpremoteip,i + 1)) return; + if (flagchecktcpremotehost) if (i = str_len(tcpremotehost)) { + unsigned int s = 0; + if (findrule(tcpremotehost, i)) return; + while (++s < i) + if (tcpremotehost[s] == '.') + if (findrule(tcpremotehost+s, i - s)) return; + } + if (findrule("",0)) return; } *************** *** 159,164 **** --- 172,178 ---- int argc; char **argv; { + char *conopts; if (!argv[1]) usage(); if (!argv[2]) usage(); *************** *** 167,172 **** --- 181,196 ---- fd = open_read(fnrulescdb); if (fd == -1) die_open(); + conopts = env_get("TCPCONTROL"); + if (conopts) + while (*conopts) + switch(*conopts++) + { + case 'h': flagneedtcpremotehost = 1; break; + case 'r': flagchecktcpremotehost = 1; break; + case 'p': flagblockparanoid = 1; break; + } + tcplocalhost = env_get("TCPLOCALHOST"); if (!tcplocalhost) tcplocalhost = ""; tcplocalip = env_get("TCPLOCALIP"); *************** *** 183,188 **** --- 207,215 ---- tcpremoteinfo = env_get("TCPREMOTEINFO"); + if (flagblockparanoid && env_get("TCPPARANOID")) flagdeny = "deny-paranoid"; + else if (flagneedtcpremotehost && !*tcpremotehost) flagdeny = "deny-nohost"; + else checkrules(); reportlen = fmtlog(FMT_LEN); .