LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 09-18-2006, 07:32 AM   #16
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Original Poster
Rep: Reputation: 54

Quote:
Originally Posted by gwsandvik
good info snipped
Thanks, Gary. I'll take a look at that link!

Rand
 
Old 09-18-2006, 07:55 AM   #17
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,216
Blog Entries: 3

Rep: Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437
Quote:
Originally Posted by evilDagmar

To address some other things that were brought up in this thread:

"The portion after the ALL:ALL states what services you wish to deny."

Wrong, wrong, wrong.

"For the hosts.deny, why do you have to have anything after ALL:ALL? Doesn't all mean all?"

All in fact does mean all, and anything after that is simply wasted text. Someone didn't read the man page. ALL:ALL means all services for all IP addresses will be denied unless something in /etc/hosts_allow lets them through explicitly (and again, this only affects incoming TCP connections for applications which are in some way making use of libwrap.a. UDP is not filtered well by this.)

Code:
"The netmask can be used to specify a broadcast netmask [...]"
No.

A lot of what's been going on with this thread is the kind of deranged nomenclature that is IMHO exactly the reason the internet as a whole abandoned classed addressing quite some time ago. All it does is make newbies crazy.
Hi,

Maybe you should read the man pages! If you wish to be specific about a deny you can indeed specify that. You can even deny .specific hosts within the file for service to it. You are not as explicit with the hosts.deny as you tend to exhibit.

I've reread my post(s) and grammar was my syntax error, I could have done better to expand the thought. No excuse!

As for my misstatement or misunderstood statement;

Code:
"The netmask can be used to specify a broadcast netmask [...]"
The network mask is not an IP number and it is used to modify how local IP numbers are interpreted locally should have been used instead. Therefore the use of the broadcast mask will allow simultaneous use across the local network address(es).

As you well stated 'IMHO'.

edit: Boy I must be tired, my typing or something. change 'it's' to 'it is'

Last edited by onebuck; 09-18-2006 at 08:18 AM.
 
Old 09-18-2006, 04:24 PM   #18
evilDagmar
Member
 
Registered: Mar 2005
Location: Right behind you.
Distribution: NBG, then randomed.
Posts: 480

Rep: Reputation: 31
Quote:
Originally Posted by gwsandvik
Hi,

Maybe you should read the man pages! If you wish to be specific about a deny you can indeed specify that. You can even deny .specific hosts within the file for service to it. You are not as explicit with the hosts.deny as you tend to exhibit.
"as [I] tend to exhibit?". No, I'm exactly as specific as I say I am. I start with "ALL: ALL" in /etc/hosts_deny because this (as I said) is the sane way to start a default deny policy. Unless one wishes to make their syntax uselessly obfuscated by including allowance exemptions in the hosts_deny file (which could enable a default allow policy for such a host, which frankly, isn't allowed on any networks I'm responsible for the security of) once "ALL: ALL" has been written, almost anything else in in the hosts_deny file is a complete waste of space that will do nothing but waste clockcycles.

To use some phraseology from the Checkpoint world, once the "ALL: ALL" has been written, any other deny rules will be shadowed by it and have no additional effect.

...and not only have I read the man pages for tcp_wrappers, I've read it's source, made patches to stifle the useless errors resulting from race conditions, written tutorials on it, and given public lectures on it's use to LUGs on multiple occasions. I know it very, very well.

(I love how the board lowercases my paraphrased "I" up there. *sigh*)

Quote:
Originally Posted by gwsandvik
I've reread my post(s) and grammar was my syntax error, I could have done better to expand the thought. No excuse!

As for my misstatement or misunderstood statement;

Quote:
"The netmask can be used to specify a broadcast netmask [...]"
Your "syntax error" caused you to refer to things that do not exist. There is no such animal as a "broadcast netmask". There are netmasks, and there are broadcast addresses, and those two things are entirely different from each other.

Quote:
Originally Posted by gwsandvik
The network mask is not an IP number and it is used to modify how local IP numbers are interpreted locally should have been used instead. Therefore the use of the broadcast mask will allow simultaneous use across the local network address(es).
Really? In my 15+ years of IP networking (most of it using tcp_wrappers as one of my defense tools) I never noticed that a network mask and IP address are different things.
</sarcasm>

Do not attempt to save face by reciting primitive facts to me. Tcp_wrappers (and nearly everything else outside of maybe some strange IP calculation tools) has nothing to do with "broadcast masks", which is another animal that might as well not exist at all. If you doubt this, feel free to put either phrase, in quotes into Google to see the remarkable lack of hits beyond scripts that happen to use them as variable names to some command or other, or extremely confused people.

The hole only gets deeper when you keep digging.

Last edited by evilDagmar; 09-18-2006 at 04:34 PM.
 
Old 09-18-2006, 07:43 PM   #19
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,978
Blog Entries: 11

Rep: Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879
Quote:
Originally Posted by evilDagmar
"as [i] tend to exhibit?". No, I'm exactly as specific as I say I am. I start with "ALL: ALL" in /etc/hosts_deny because this (as I said) is the sane way to start a default deny policy. Unless one wishes to make their syntax uselessly obfuscated by including allowance exemptions in the hosts_deny file (which could enable a default allow policy for such a host, which frankly, isn't allowed on any networks I'm responsible for the security of) once "ALL: ALL" has been written, almost anything else in in the hosts_deny file is a complete waste of space that will do nothing but waste clockcycles.
And since you're always very fond of corrective feedback I thought
I'd point out to you that the files are called /etc/hosts.allow and /etc/hosts.deny,
not /etc/hosts_allow and /etc/hosts_deny ...

The only hosts_ thing I know of is man hosts_access


Cheers,
Tink
 
Old 09-19-2006, 03:53 AM   #20
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Original Poster
Rep: Reputation: 54
I think we can overcome that little problem with a few strategic symlinks
 
Old 09-19-2006, 04:35 AM   #21
piete
Member
 
Registered: Apr 2005
Location: Havant, Hampshire, UK
Distribution: Slamd64, Slackware, PS2Linux
Posts: 465

Rep: Reputation: 44
Code:
111.111.111.000
111.111.110.000
                  AND will produce;
111.111.110.000
Forgive the semi-hijacking, but while we're on this topic, to delay further confusion from netmasks (or indeed, add some more confusion!) the statement above is not really a true representation of how a netmask functions.

I could try to explain it, but, I think Cisco do a better job: http://www.cisco.com/warp/public/701/3.html

The short story is that while 1 AND 1 = 1 - the ip address and netmask don't map directly like the example above. It's first translated into binary, only then is it AND'd.

Code:
Decimal: 255.253.254.0
Binary:  11111111.11111101.11111110.00000000
The netmask is used to ... well, read the site =)
- Piete.

Edit: This is not meant as a bashing to the poster of the original explanation, merely as a preventative measure before someone asks "How do I AND 255 and 255 ?"

Last edited by piete; 09-19-2006 at 04:38 AM.
 
Old 09-19-2006, 07:17 AM   #22
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,216
Blog Entries: 3

Rep: Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437
Quote:
Originally Posted by piete
Code:
111.111.111.000
111.111.110.000
                  AND will produce;
111.111.110.000
Forgive the semi-hijacking, but while we're on this topic, to delay further confusion from netmasks (or indeed, add some more confusion!) the statement above is not really a true representation of how a netmask functions.

I could try to explain it, but, I think Cisco do a better job: http://www.cisco.com/warp/public/701/3.html

The short story is that while 1 AND 1 = 1 - the ip address and netmask don't map directly like the example above. It's first translated into binary, only then is it AND'd.

Code:
Decimal: 255.253.254.0
Binary:  11111111.11111101.11111110.00000000
The netmask is used to ... well, read the site =)
- Piete.

Edit: This is not meant as a bashing to the poster of the original explanation, merely as a preventative measure before someone asks "How do I AND 255 and 255 ?"
Hi,

I was just presenting a simple 'AND' not the true mask operation. Thanks for expanding the operation. I should have been more detailed. Tired 'AND' LAZY = Mistakes.

I appreciate your edit. But I note that failure. I like to keep things straight also. Written communication between people concerning technical information should be correct but the thought units are not always conveyed as desired.
 
Old 09-19-2006, 07:38 AM   #23
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,216
Blog Entries: 3

Rep: Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437Reputation: 1437
Quote:
Originally Posted by evilDagmar
"as [I] tend to exhibit?". No, I'm exactly as specific as I say I am. I start with "ALL: ALL" in /etc/hosts_deny because this (as I said) is the sane way to start a default deny policy. Unless one wishes to make their syntax uselessly obfuscated by including allowance exemptions in the hosts_deny file (which could enable a default allow policy for such a host, which frankly, isn't allowed on any networks I'm responsible for the security of) once "ALL: ALL" has been written, almost anything else in in the hosts_deny file is a complete waste of space that will do nothing but waste clockcycles.

To use some phraseology from the Checkpoint world, once the "ALL: ALL" has been written, any other deny rules will be shadowed by it and have no additional effect.

...and not only have I read the man pages for tcp_wrappers, I've read it's source, made patches to stifle the useless errors resulting from race conditions, written tutorials on it, and given public lectures on it's use to LUGs on multiple occasions. I know it very, very well.

(I love how the board lowercases my paraphrased "I" up there. *sigh*)


Your "syntax error" caused you to refer to things that do not exist. There is no such animal as a "broadcast netmask". There are netmasks, and there are broadcast addresses, and those two things are entirely different from each other.


Really? In my 15+ years of IP networking (most of it using tcp_wrappers as one of my defense tools) I never noticed that a network mask and IP address are different things.
</sarcasm>

Do not attempt to save face by reciting primitive facts to me. Tcp_wrappers (and nearly everything else outside of maybe some strange IP calculation tools) has nothing to do with "broadcast masks", which is another animal that might as well not exist at all. If you doubt this, feel free to put either phrase, in quotes into Google to see the remarkable lack of hits beyond scripts that happen to use them as variable names to some command or other,
Quote:
or extremely confused people.
The hole only gets deeper when you keep digging.
Hi,

Apparently your 15 years are your biggest defense. As for a hole being deeper, jump in!

I'm not going to get into my thing is better than yours' contest. To continue with that would not be productive.

Sometimes we can be simplistic and convey the thought therefore direct the person on the start of the road to the freeway. At other times this can cause
Quote:
or extremely confused people.
the ommisions are not intentional but do occur. We all try to do our best to help others here.

I am not attempting to save face. You judge as you will be judged, as this will not affect me.

Your negativity is not warranted nor productive here.
 
Old 09-22-2006, 04:58 AM   #24
evilDagmar
Member
 
Registered: Mar 2005
Location: Right behind you.
Distribution: NBG, then randomed.
Posts: 480

Rep: Reputation: 31
Quote:
Originally Posted by gwsandvik
Hi,

Apparently your 15 years are your biggest defense. As for a hole being deeper, jump in!

I'm not going to get into my thing is better than yours' contest. To continue with that would not be productive.
That's because yours is apparently much smaller.

Quote:
Originally Posted by gwsandvik
Sometimes we can be simplistic and convey the thought therefore direct the person on the start of the road to the freeway. At other times this can cause the ommisions are not intentional but do occur. We all try to do our best to help others here.
Except you said some things which are quite untrue and when they caused confusion for the person you were trying to help, you were rude about it as if they should be able to figure it out from what you said.

Quote:
Originally Posted by gwsandvik
I am not attempting to save face. You judge as you will be judged, as this will not affect me.

Your negativity is not warranted nor productive here.
Neither is your denial of reality. Don't even attempt to pretend you're on the high road. Yeah, I suppose that me exposing that you are just miles away from correct is technically negative, but it's still a warped slant on the situation. You've insulted the original poster, told him multiple things that were more than just "syntax errors"--they were wholly and entirely wrong and confused the person you were purporting to help. When I called you on it (and provided correct information) you deliberately attempted to insult me by implying that I'm inexperienced in a field that I've been making my living in for a long, long time.

If I'm occasionally rude to people, at least I'm teaching them the correct things when I do it instead of filling their head with nonsense. You've managed neither politeness, nor correctness. Are you actually claiming this forum is for spreading ignorance and hostility?

...and there is still no such animal as a "broadcast netmask".

Last edited by evilDagmar; 09-22-2006 at 05:02 AM.
 
Old 09-22-2006, 05:06 AM   #25
evilDagmar
Member
 
Registered: Mar 2005
Location: Right behind you.
Distribution: NBG, then randomed.
Posts: 480

Rep: Reputation: 31
Quote:
Originally Posted by Tinkster
And since you're always very fond of corrective feedback I thought
I'd point out to you that the files are called /etc/hosts.allow and /etc/hosts.deny,
not /etc/hosts_allow and /etc/hosts_deny ...

The only hosts_ thing I know of is man hosts_access


Cheers,
Tink
Bah, it happens, but at least I didn't screw it up enough times that it should be quite clear what I am referring to. This is a far cry from just throwing technical-sounding words together and expecting that someone who doesn't know any of them will just be able to intuit their meaning.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] question about hosts.allow/hosts.deny Wim Sturkenboom Linux - Security 9 05-30-2006 01:33 AM
/etc/hosts.deny/hosts.allow have no effect on sshd access bganesh Linux - Security 4 05-04-2006 08:06 PM
/etc/hosts and hosts.deny question ilan1 Linux - Networking 4 03-04-2006 05:28 PM
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 09:41 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 03:52 PM


All times are GMT -5. The time now is 01:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration