Bug 24610

Summary: [PATCH] make inetd log hostnames when specifying -l twice
Product: Base System Reporter: Andre Albsmeier <Andre.Albsmeier>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.2-STABLE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Andre Albsmeier 2001-01-24 15:30:01 UTC 
When specifying -l inetd logs the IP address of succesful connections.
With this patch, the hostname is logged instead of the IP address
when -l is specified twice.

Fix: The patch implements the above suggestion in inetd.c and documents
it in inetd.8. The fact that a (possibly time consuming) DNS lookup
can be needed has been documented as well.
How-To-Repeat: 
run inetd -l and watch /var/log/messages while connecting to an
inetd service.
Comment 1 dwmalone 2001-01-24 19:11:43 UTC 
On Wed, Jan 24, 2001 at 04:20:17PM +0100, Andre Albsmeier wrote:

> >Description:
> 
> When specifying -l inetd logs the IP address of succesful connections.
> With this patch, the hostname is logged instead of the IP address
> when -l is specified twice.

I didn't want to do this because it means looking up a hostname in
inetd before forking - this can block for some time, which would
prevent inetd from starting any more services.

You can already look up host names and log them by turning on
wrappers with -Ww. If you don't want to do restrict the services
available then you can do something like:

ALL: UNKNOWN : severity local0.info : allow
ALL: ALL : severity local0.info : allow

The "UNKNOWN" should force tcpd to look up the host name - otherwise
it won't bother.

	David.
Comment 2 Andre Albsmeier 2001-01-24 20:34:39 UTC 
On Wed, 24-Jan-2001 at 19:11:43 +0000, David Malone wrote:
> On Wed, Jan 24, 2001 at 04:20:17PM +0100, Andre Albsmeier wrote:
> 
> > >Description:
> > 
> > When specifying -l inetd logs the IP address of succesful connections.
> > With this patch, the hostname is logged instead of the IP address
> > when -l is specified twice.
> 
> I didn't want to do this because it means looking up a hostname in
> inetd before forking - this can block for some time, which would
> prevent inetd from starting any more services.

Sure, that's why I mentioned it in the man page (maybe this needs
more clarification).

However, on nets isolated behind firewalls where only certain
hosts can connect to inetd at all and where fast DNS lookups
are normal it might be quite useful. And the feature has to be
turned on explicitely by specifying -l twice.

> 
> You can already look up host names and log them by turning on
> wrappers with -Ww. If you don't want to do restrict the services
> available then you can do something like:
> 
> ALL: UNKNOWN : severity local0.info : allow
> ALL: ALL : severity local0.info : allow
> 
> The "UNKNOWN" should force tcpd to look up the host name - otherwise
> it won't bother.
> 
> 	David.
Comment 3 dwmalone freebsd_committer freebsd_triage 2001-05-07 19:34:22 UTC 
State Changed
From-To: open->feedback

I'd like to close this PR because the effect of the patch can 
be produced using hosts.allow. Does this sound OK Andre, or 
am I missing something?
Comment 4 dwmalone freebsd_committer freebsd_triage 2001-05-08 09:31:37 UTC 
State Changed
From-To: feedback->closed

hosts.allow seem to have what's needed here.