Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Tcpwrapper 7.6 - feature -

From: sullivan () SECLAB COM (Gigi Sullivan)
Date: Sat, 19 Sep 1998 18:41:47 +0200

Hello there :)

Well, all we know tcpwrapper (W. Venema) and all its features.
I wrote a very small stuff that could be usefull (I hope) to those of you
that are using tcpwrapper, but that doesn't run any kinda of firewall.
This "new" feature allow you to force the TCP layer to elict an RST
segment to drop a denyed connection (instead of the usual 4-"FIN"
segment).

All you have to do is to add in your /etc/hosts.deny file a line like the
follow one:

daemon_list: client_list : rst

This shouldn't lead to data corruption (as said in RFC 1337) and could
"simulate" some simple firewall actions, imho.

For those who are interested here is the options.c diff file.
(If no one is interested, just drop this msg. Sorry :))
Tcpwrapper version 7.6

*** options.orig        Sat Sep 19 18:12:15 1998
--- options.c   Sat Sep 19 18:16:42 1998
***************
*** 85,90 ****
--- 85,91 ----
  static void allow_option();           /* execute "allow" option */
  static void deny_option();            /* execute "deny" option */
  static void banners_option();         /* execute "banners path" option */
+ static void rst_option();             /* force the TCP layer to elict an RST segment */

  /* Structure of the options table. */

***************
*** 122,127 ****
--- 123,129 ----
      "allow", allow_option, USE_LAST,
      "deny", deny_option, USE_LAST,
      "banners", banners_option, NEED_ARG,
+     "rst", rst_option, 0,
      0,
  };

***************
*** 331,336 ****
--- 333,356 ----
            tcpd_warn("setsockopt SO_LINGER %d: %m", linger.l_linger);
      }
  }
+
+ /* rst_option - The TCP layer will elict an RST instead of FIN segments */
+ /* Lorenzo Cavallaro <sullivan () seclab com> ... just FYI :) */
+
+ static void rst_option(value, request)
+ char *value;
+ struct request_info *request;
+ {
+     struct linger linger;
+
+     linger.l_onoff = 1;
+     linger.l_linger = 0;
+     if (dry_run == 0) {
+         if (setsockopt(request->fd, SOL_SOCKET, SO_LINGER, (char *) &linger,
+                        sizeof(linger)) < 0)
+             tcpd_warn("setsockopt SO_LINGER (RST): %m");
+     }
+ }

  /* keepalive_option - set the socket keepalive option */


Bye bye


                        -- gg sullivan


--
Lorenzo Cavallaro
Intesis SECURITY LAB            Phone: +39-2-671563.1
Via Settembrini, 35             Fax: +39-2-66981953
I-20124 Milano  ITALY           Email: sullivan () seclab com
Previous By Date Next
Previous By Thread Next

Current thread: