On Thu, 21 Feb 2002 17:05:08 +0300 Borsenkow Andrej <[EMAIL PROTECTED]> wrote:
> sshd: X.Y.Z.0/255.255.255.0 EXCEPT X.Y.Z.17/255.255.255.255: ALLOW > > That still allows X.Y.Z.17 even if the only remaining rule denies > everything: > > ALL:ALL EXCEPT localhost:DENY > > -andrej This is an old bug that has been ignored... here's the notes I keep in my /etc/hosts.allow: # WARNING: Never use mask=255.255.255.255!! While this is perfectly # legal, tcpwrappers treats it as a bad mask. Yet, it # treats the following as valid: # 1.1.1.1/255.255.255.254 -- no host space in subnet; # impossible match # 1.1.1.1/255.255.255.254 -- impossible match (last octet) # Go figure!! Just list the address *without* a mask if you want 255.255.255.255 or /32 I reported this to the author; but got blown off... he has since GPL'ed the code... Fixing it may break some systems; but it's plain wrong and *should* be fixed IMNSHO... HTH, Pierre
