1 Path: news.porcupine.org!news.porcupine.org!not-for-mail
2 From: Wietse Venema <wietse@((no)(spam)(please))wzv.win.tue.nl>
3 Newsgroups: comp.mail.sendmail,comp.security.unix
4 Subject: TCP Wrapper Blacklist Extension
6 Date: 8 Sep 1997 18:53:13 -0400
7 Organization: Wietse's hangout while on sabattical in the USA
9 Sender: wietse@spike.porcupine.org
10 Message-ID: <5v1vkp$h4f$1@spike.porcupine.org>
11 NNTP-Posting-Host: spike.porcupine.org
12 Xref: news.porcupine.org comp.mail.sendmail:3541 comp.security.unix:7158
14 The patch below adds a new host pattern to the TCP Wrapper access
15 control language. Instead of a host name or address pattern, you
16 can specify an external /file/name with host name or address
17 patterns. The feature can be used recursively.
19 The /file/name extension makes it easy to blacklist bad sites, for
20 example, to block unwanted electronic mail when libwrap is linked
21 into sendmail. Adding hosts to a simple text file is much easier
22 than having to edit a more complex hosts.allow/deny file.
24 I developed this a year or so ago as a substitute for NIS netgroups.
25 At that time, I did not consider it of sufficient interest for
26 inclusion in the TCP Wrapper distribution. How times have changed.
28 The patch is relative to TCP Wrappers version 7.6. The main archive
29 site is ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz
31 Thanks to the Debian LINUX folks for expressing their interest in
39 diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
40 --- tcp_wrappers_7.6.orig/hosts_access.5 2004-04-10 19:28:09.000000000 +0200
41 +++ tcp_wrappers_7.6/hosts_access.5 2004-04-10 19:28:01.000000000 +0200
43 `[3ffe:505:2:1::]/64\' matches every address in the range
44 `3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
46 +A string that begins with a `/\' character is treated as a file
47 +name. A host name or address is matched if it matches any host name
48 +or address pattern listed in the named file. The file format is
49 +zero or more lines with zero or more host name or address patterns
50 +separated by whitespace. A file name pattern can be used anywhere
51 +a host name or address pattern can be used.
53 Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This
54 method of matching cannot be used in conjunction with `net/mask\' matching,
55 hostname matching beginning with `.\' or IP address matching ending with `.\'.
56 diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
57 --- tcp_wrappers_7.6.orig/hosts_access.c 2004-04-10 19:28:09.000000000 +0200
58 +++ tcp_wrappers_7.6/hosts_access.c 2004-04-10 19:27:05.000000000 +0200
63 +/* hostfile_match - look up host patterns from file */
65 +static int hostfile_match(path, host)
67 +struct hosts_info *host;
73 + if ((fp = fopen(path, "r")) != 0) {
74 + while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
77 + } else if (errno != ENOENT) {
78 + tcpd_warn("open %s: %m", path);
83 /* host_match - match host name and/or address against pattern */
85 static int host_match(tok, host)
87 tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */
90 + } else if (tok[0] == '/') { /* /file hack */
91 + return (hostfile_match(tok, host));
92 } else if (STR_EQ(tok, "KNOWN")) { /* check address and name */
93 char *name = eval_hostname(host);
94 return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
95 diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c
96 --- tcp_wrappers_7.6.orig/tcpdchk.c 2004-04-10 19:28:09.000000000 +0200
97 +++ tcp_wrappers_7.6/tcpdchk.c 2004-04-10 19:27:05.000000000 +0200
101 tcpd_warn("%s: daemon name begins with \"@\"", pat);
102 + } else if (pat[0] == '/') {
103 + tcpd_warn("%s: daemon name begins with \"/\"", pat);
104 } else if (pat[0] == '.') {
105 tcpd_warn("%s: daemon name begins with dot", pat);
106 } else if (pat[strlen(pat) - 1] == '.') {
109 if (pat[0] == '@') { /* @netgroup */
110 tcpd_warn("%s: user name begins with \"@\"", pat);
111 + } else if (pat[0] == '/') {
112 + tcpd_warn("%s: user name begins with \"/\"", pat);
113 } else if (pat[0] == '.') {
114 tcpd_warn("%s: user name begins with dot", pat);
115 } else if (pat[strlen(pat) - 1] == '.') {
117 static int check_host(pat)
124 + struct tcpd_context saved_context;
126 + char *wsp = " \t\r\n";
128 if (pat[0] == '@') { /* @netgroup */
131 tcpd_warn("netgroup support disabled");
134 + } else if (pat[0] == '/') { /* /path/name */
135 + if ((fp = fopen(pat, "r")) != 0) {
136 + saved_context = tcpd_context;
137 + tcpd_context.file = pat;
138 + tcpd_context.line = 0;
139 + while (fgets(buf, sizeof(buf), fp)) {
140 + tcpd_context.line++;
141 + for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
144 + tcpd_context = saved_context;
146 + } else if (errno != ENOENT) {
147 + tcpd_warn("open %s: %m", pat);
149 } else if (mask = split_at(pat, '/')) { /* network/netmask */