LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 11-11-2017, 03:36 PM   #16
andrixnet
Member
 
Registered: Oct 2012
Posts: 100

Original Poster
Rep: Reputation: Disabled
Post


I've investigated a bit further and discovered more:

My /etc/hosts.deny (not installation default, but intended for better security) :
Code:
ALL:            ALL
My /etc/hosts.allow (not installation default, but somewhat tweaked for better security) :
Code:
ALL:            LOCAL

snmpd:          LOCAL
The other daemons don't count in this scope.

Now according to man 5 hosts_access :
Quote:
LOCAL Matches any host whose name does not contain a dot character.
/etc/hosts:
Code:
# For loopbacking.
127.0.0.1               localhost

# Local network
1.2.3.4                 hostname.domainname         hostname
Apparently snmpd knows and uses tcpwrappers library, but does not support it's full syntax:
Code:
# tcpdmatch snmpd localhost
warning: snmpd: no such process name in /etc/inetd.conf
client:   hostname localhost
client:   address  127.0.0.1
server:   process  snmpd
matched:  /etc/hosts.allow line 17
access:   granted
Yet it was not sufficient to allow connections from localhost (127.0.0.1).

Apparently snmpd recognizes "ALL", IP addresses, IP_network/NETMASK pairs.
It does not recognize hostnames (that need to be solved).
It does not recognize "LOCAL".

It also does work if the directive "ALL" for all daemons allows access according to the above limitations.
 
1 members found this post helpful.
Old 11-11-2017, 06:51 PM   #17
abga
Member
 
Registered: Jul 2017
Location: EU
Distribution: Slackware x86 & ARM
Posts: 135

Rep: Reputation: 42
@andrixnet
While a little off-topic as it's not snmpd related anymore but basic networking configuration, I guess it should work even if you leave both the /etc/hosts.allow & /etc/hosts.deny empty, like they come by default and only define loclahost in /etc/hosts (which I think it also comes by default).

To make things a little simpler I'd suggest to filter your network only in one place through the kernel netfilter (iptables), which needless to say gives you more advanced control. Although the rc.firewall comes empty and disabled by default, its call position in rc.inet2 is appropriate to cover also the inetd services. My approach with netfilter is to cut everything first and gradually enable solely the traffic I really need. On the technical part it's maybe the most difficult way, because you clearly need to know a lot about the TCP/IP protocol and the requirements of the particular services you'd like to enable/offer, but on the safety side (especially now when everyone is scanning and attacking automatically through armies of bots) and filter system resources usage optimization (CPU cycles for matching rules) is the best.

Here I tried to help a fellow Slacker (hope I didn't scare him) with a basic such restrictive firewall (copy paste from my advanced firewall sample):
https://www.linuxquestions.org/quest...9/#post5776603
 
Old 11-13-2017, 04:38 AM   #18
andrixnet
Member
 
Registered: Oct 2012
Posts: 100

Original Poster
Rep: Reputation: Disabled
@abga: thank you for your observations.

I have detailed my findings further (without going offtopic) on the basis that I have discovered that snmpd, though it uses tcpwrappers library, apparently does not support all configuration directives (from man 5 hosts_access).
 
  


Reply

Tags
snmp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Adding Custom Process to snmpd.config prabakar4all Linux - Server 0 08-01-2011 02:57 PM
Default Config for IPP cmnorton Linux - Server 0 01-28-2010 11:19 AM
doing /etc/init.d/snmpd status gives "snmpd dead but pid file exists" kaushal143 Linux - Newbie 2 07-10-2008 03:55 AM
snmpd: relocation error snmpd:undefined symbol: lastAddrAge Strike2000 Slackware 0 02-11-2008 05:45 AM
Default LILO Config spaaarky21 Mandriva 9 06-18-2004 03:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 07:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration