LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-29-2009, 11:09 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Rep: Reputation: 33
Xinetd only_from-parameter


The NRPE nagios-plugin runs as a deamon, as part of xinetd.

To limit access one should add the line "only_from =".

Can I use a hostname here ?? The hostname points to a DynDNS-host (which is the Nagios-Server)

The sample file mentions 'localhost', but can this be considered as a 'real hostname' and a 'real DNS-translation' ??

Extra question : would it be safer to build an OpenVPN-connection between Nagios-server and Nagios-client (with NRPE-plugin) ?? I could then add "only_from = 10.10.8.2".

RedHat documentation gives no example with a hostname (except localhost)...
 
Old 10-30-2009, 08:02 PM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I can't advise about about our OpenVPN question, but for your first question, the explanation in the xinetd.conf [i]man page[i] seems pretty clear:

Code:
       only_from        determines the remote hosts to  which  the  particular
                        service  is  available.   Its  value  is  a list of IP
                        addresses which can be specified in any combination of
                        the following ways:

                        a)   a  numeric address in the form of %d.%d.%d.%d. If
                             the rightmost components are 0, they are  treated
                             as  wildcards  (for example, 128.138.12.0 matches
                             all hosts on  the  128.138.12  subnet).   0.0.0.0
                             matches  all  Internet addresses.  IPv6 hosts may
                             be specified in the form of abcd:ef01::2345:6789.
                             The  rightmost  rule  for IPv4 addresses does not
                             apply to IPv6 addresses.

                        b)   a   factorized   address   in   the    form    of
                             %d.%d.%d.{%d,%d,...}.  There is no need for all 4
                             components (i.e. %d.%d.{%d,%d,...%d} is also ok).
                             However,  the  factorized part must be at the end
                             of the address.  This form does not work for IPv6
                             hosts.

                        c)   a  network  name  (from /etc/networks). This form
                             does not work for IPv6 hosts.

                        d)   a host  name.   When  a  connection  is  made  to
                             xinetd,  a  reverse  lookup is performed, and the
                             canonical name returned is compared to the speci‐
                             fied host name.  You may also use domain names in
                             the form of .domain.com.  If the  reverse  lookup
                             of the client’s IP is within .domain.com, a match
                             occurs.

                        e)   an  ip  address/netmask  range  in  the  form  of
                             1.2.3.4/32.   IPv6  address/netmask ranges in the
                             form of 1234::/46 are also valid.

                        Specifying this attribute without a  value  makes  the
                        service available to nobody.
In particular, (d) seems to respond to your concern. The match (or lack thereof) is done via reverse DNS lookup.

Hope this helps.
 
Old 10-31-2009, 04:34 AM   #3
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by blackhole54 View Post
In particular, (d) seems to respond to your concern. The match (or lack thereof) is done via reverse DNS lookup.
I have tried putting a hostname of 'client.no-ip.biz' for the 'only_from'-param, but the ssl-handshake could not go through.

See this thread :
http://www.linuxquestions.org/questi...dshake-765515/

Setting an IP-address resolved this.

So (d) might work on an internal network, but not for looking up a dyndns hostname's IP-address.

Thanks for your feedback.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
what is max_load parameter in /etc/xinetd.conf deepak_cucek Linux - Newbie 6 08-20-2009 01:41 AM
/etc/xinetd.conf vs /etc/xinetd.d foampile Linux - Server 2 04-24-2009 06:33 PM
telnetd/xinetd connection problem with server_args parameter Reginald0 Linux - Server 2 03-02-2009 02:58 PM
linux bash - how to use a dynamic parameter in shell parameter expansion expression nickleus Linux - General 2 08-21-2006 05:54 AM
Xinetd dead --xinetd dead but pid file exists hillxy Linux - General 1 04-15-2004 03:10 PM


All times are GMT -5. The time now is 10:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration