Re: tcp_wrappers prefers IP addresses?

[Alan Mead <adm ipat com>]

>> >> Two questions:  How does tcp_wrappers work that it sometimes allows
access
>> >> and sometimes not (e.g., is this an identd thing)?  And how can I
arrange
>> >> for my friend (i.e., anyone in his domain) to access my box if his IP
>> >> changes?

>> The first two rejections of unkown make sense (I don't understand them, but
>> I can imagine why they were refused).  Why was aristotle.net refused and
>> soltec.net and earthlink.net allowed?
>> secure:
>> Aug 23 06:28:01 conan in.telnetd[18738]: refused connect from unknown
>> Aug 23 06:28:25 conan in.telnetd[18739]: warning: can't get client address:
>> No route to host
>> Aug 23 06:28:25 conan in.telnetd[18739]: refused connect from unknown
>> Aug 24 13:29:44 conan in.telnetd[28205]: refused connect from
>> pmnode9.aristotle.net
>> Aug 25 02:22:36 conan in.telnetd[12565]: refused connect from
>> pmnode3.aristotle.net
>> Aug 28 10:01:48 conan in.telnetd[23761]: connect from sparkle.soltec.net
>> Aug 28 10:08:31 conan in.telnetd[23786]: connect from
>> pool388-cvx.ds44-ca-us.dialup.earthlink.net
>> 
>> /etc/hosts.allow:
>> 
>> #
>> # hosts.allow   This file describes the names of the hosts which are
>> #               allowed to use the local INET services, as decided
>> #               by the '/usr/sbin/tcpd' server.
>> #
>> ALL:.soltec.net
>> ALL:LOCAL
>> in.ftpd:ALL
>> ALL:.earthlink.net
>> ALL:.aristotle.net
>
>ALL:ithink.org

:) Let's say hypothetically that I was being circumspect about posting my
friend's domain and that, again hypothetically, I did in fact have the
above line and that there was also a log message like, say:

Aug 23 06:28:26 conan in.telnetd[18740]: refused connect from ithink.org

>help. Why not allow ithink.org instead of aristotle.net and see what happens!
>Scott's ip is static now and it's pointed at ithink.org instead of aristotle.
>Maybe that will help!

So you think he can connect now?  We shall see.  I don't need him to look
after things now but I was trying to understand why he couldn't connect
last month.  I thought since changing hosts.allow works for some domains
(soltec.net and earthlink.net) and not for others, that there must be
something else I'm missing.

If anyone knows, PLEASE drop me a hint.  I'll even RTFM if you can point me
to it.  I have this nagging feeling that it has something to do with identd
but I've read the man page for hosts.allow and I do not understand the bit
about identd or how I can turn off authentication.

Also, is there supposed to be a leading dot in the domain name?  Should it
be "ALL: .ithink.org" or "ALL: ithink.org"?

Thanks again.

-Alan


---
Alan D. Mead  /  Research Scientist  /  adm ipat com
Institute for Personality and Ability Testing
1801 Woodfield Dr  /  Savoy IL 61874 USA
217-352-4739 (v)  /  217-352-9674 (f)