Re: Installing a firewall - sgi_fam problem

[ABrady <kcsmart kc rr com>]

On Mon, 4 Mar 2002 10:27:22 -0600 (CST)
Adrian Burd <adrian nhalodule tamu edu> blurted:

> 
> 
> Following a recent thread on this list, I've set about installing a
> simple firewall on my machine. I've switched off ipchains (I'll
> eventually have iptables set up), but keep getting the following in
> /var/log/secure
> 
> Mar  4 10:44:30 plankton xinetd[850]: START: sgi_fam pid=1233
> from=0.0.0.0 Mar  4 10:44:31 plankton xinetd[1233]: FAIL: sgi_fam
> libwrap from=0.0.0.0
> 
> which repeats several times, then appears again a few hours later. In 
> /var/log/messages, I get the following:
> 
> Mar  4 10:44:30 plankton xinetd[1233]: warning: can't get client
> address:Transport endpoint is not connected Mar  4 10:44:31 plankton
> xinetd[1233]: libwrap refused connection to  sgi_fam from 0.0.0.0
> 
> I don't see where the IP address 0.0.0.0 should be coming from. In
> xinetd.d/sgi_fam, I have 
> 
> service sgi_fam
> {
> 	type         = RPC UNLISTED
>         socket_type  = stream
>         user         = root
>         group        = nobody
>         server       = /usr/bin/fam
> 	wait	     = yes
> 	protocol     = tcp
> 	rpc_version  = 2
> 	rpc_number   = 391002
> 	bind         = 127.0.0.1
> }
> 
> and I've set 
> 
>  local_only = true
> 
> in fam.conf. My hosts.deny is set to ALL: ALL and my hosts.allow has
> 
> ALL: 127.0.0.1
> ALL: <a trusted host>
> sshd: <a trusted host>
> sendmail: ALL
> sgi_fam: ALL
> 
> 
> Does anyone have any suggestions as to why I'm getting these warning
> and error messages in the log files? I've spent a couple of hours
> hunting on the net without any luck.

The binary causing it is fam. Here's some info:

[kcsmart alan kcsmart]$ rpm -q fam
fam-2.6.6-1

[kcsmart alan kcsmart]$ rpm -qi fam
Name        : fam                          Relocations: (not
relocateable) Version     : 2.6.6                             Vendor:
Red Hat, Inc. Release     : 1                             Build Date:
Thu 29 Nov 2001 06:11: PM CST
Install date: Wed 05 Dec 2001 08:43:52 PM CST      Build Host:
stripples.devel edhat.com
Group       : System Environment/Daemons    Source RPM:
fam-2.6.6-1.src.rpm Size        : 374390                          
License: GPL/LGPL Packager    : Red Hat, Inc.
<http://bugzilla.redhat.com/bugzilla> URL         :
http://oss.sgi.com/projects/fam/
Summary     : FAM, the File Alteration Monitor.
Description :
FAM, the File Alteration Monitor, provides a daemon and an API which
applications can use for notification of changes in specific files or
directories.

[kcsmart alan kcsmart]$ rpm -ql fam
/etc/fam.conf
/etc/xinetd.d/sgi_fam
/usr/bin/fam
/usr/lib/libfam.so.0
/usr/lib/libfam.so.0.0.0
/usr/share/doc/fam-2.6.6
/usr/share/doc/fam-2.6.6/COPYING
/usr/share/doc/fam-2.6.6/ChangeLog
/usr/share/doc/fam-2.6.6/INSTALL
/usr/share/doc/fam-2.6.6/INSTALL.rpm
/usr/share/doc/fam-2.6.6/README
/usr/share/doc/fam-2.6.6/TODO
/usr/share/man/man1/fam.1m.gz

[kcsmart alan kcsmart]$ rpm -q --whatrequires fam
fam-devel-2.6.6-1

[kcsmart alan kcsmart]$ rpm -q --whatrequires fam-devel
no package requires fam-devel

So, nothing needs it except fam-deve and nothing needs fam-devel. I've
removed them both completely in the past and never noticed them missing.
You can surely do the same now if those lines really bother you. By the
same token, they don't hurt anything being there either.

This is with RH 7.1, updated with who-knows-what (source made into RPMs
by checkinstall, Rawhide updates, RH 7.2 binaries, binaries found in
oddball places, etc; your versions may differ).

-- 
...and that is how we know the Earth to be banana-shaped.