Date: Sat, 19 Sep 1998 18:41:47 +0200
From: Gigi Sullivan <[email protected]>
To: [email protected]Subject: Tcpwrapper 7.6 - feature -
Hello there :)
Well, all we know tcpwrapper (W. Venema) and all its features.
I wrote a very small stuff that could be usefull (I hope) to those of you
that are using tcpwrapper, but that doesn't run any kinda of firewall.
This "new" feature allow you to force the TCP layer to elict an RST
segment to drop a denyed connection (instead of the usual 4-"FIN"
segment).
All you have to do is to add in your /etc/hosts.deny file a line like the
follow one:
daemon_list : client_list : rst
This shouldn't lead to data corruption (as said in RFC 1337) and could
"simulate" some simple firewall actions, imho.
For those who are interested here is the options.c diff file.
(If no one is interested, just drop this msg. Sorry :))
Tcpwrapper version 7.6
*** options.orig Sat Sep 19 18:12:15 1998
--- options.c Sat Sep 19 18:16:42 1998
***************
*** 85,90 ****
--- 85,91 ----
static void allow_option(); /* execute "allow" option */
static void deny_option(); /* execute "deny" option */
static void banners_option(); /* execute "banners path" option */
+ static void rst_option(); /* force the TCP layer to elict an RST segment */
/* Structure of the options table. */
***************
*** 122,127 ****
--- 123,129 ----
"allow", allow_option, USE_LAST,
"deny", deny_option, USE_LAST,
"banners", banners_option, NEED_ARG,
+ "rst", rst_option, 0,
0,
};
***************
*** 331,336 ****
--- 333,356 ----
tcpd_warn("setsockopt SO_LINGER %d: %m", linger.l_linger);
}
}
+
+ /* rst_option - The TCP layer will elict an RST instead of FIN segments */
+ /* Lorenzo Cavallaro <[email protected]> ... just FYI :) */
+
+ static void rst_option(value, request)
+ char *value;
+ struct request_info *request;
+ {
+ struct linger linger;
+
+ linger.l_onoff = 1;
+ linger.l_linger = 0;
+ if (dry_run == 0) {
+ if (setsockopt(request->fd, SOL_SOCKET, SO_LINGER, (char *) &linger,
+ sizeof(linger)) < 0)
+ tcpd_warn("setsockopt SO_LINGER (RST): %m");
+ }
+ }
/* keepalive_option - set the socket keepalive option */
Bye bye
-- gg sullivan
--
Lorenzo Cavallaro
Intesis SECURITY LAB Phone: +39-2-671563.1
Via Settembrini, 35 Fax: +39-2-66981953
I-20124 Milano ITALY Email: [email protected]