Send inn-workers mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/inn-workers
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of inn-workers digest..."
Today's Topics:
1. Re: NNTPS pointers (Julien ?LIE)
2. Re: NNTPS pointers (Grant Taylor)
----------------------------------------------------------------------
Message: 1
Date: Wed, 20 Oct 2021 23:23:48 +0200
From: Julien ?LIE <[email protected]>
To: [email protected]
Subject: Re: NNTPS pointers
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8; format=flowed
Hi Grant,
> Would you please elaborate on what you mean by "stunnel with TCP
> wrappers"?? As in what is TCP wrappers doing to modify stunnel?? Is it
> just allowing / blocking access?? If so, I'd think that a firewall could
> do the same thing.
I've not played with stunnel but as far as I understood from previous
discussions about it, when innd is accessed through stunnel, it does not
see the remote peer's IP address so cannot verify it is really a peer.
TCP wrappers will allow only the right IPs.
I guess a firewall could also do the trick. And also stunnel itself by
the way, if it has native support of TCP wrappers (when built with the
libwrap library), I've just read that in its documentation.
--
Julien ?LIE
??Attention aux bugs dans le code ci-dessus. Je ne l'ai pas test?, j'ai
seulement prouv? qu'il ?tait correct.?? (Donald Knuth)
------------------------------
Message: 2
Date: Wed, 20 Oct 2021 16:40:20 -0600
From: Grant Taylor <[email protected]>
To: [email protected]
Subject: Re: NNTPS pointers
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 10/20/21 3:23 PM, Julien ?LIE wrote:
> Hi Grant,
Hi Julien,
> I've not played with stunnel but as far as I understood from previous
> discussions about it, when innd is accessed through stunnel, it does not
> see the remote peer's IP address so cannot verify it is really a peer.
I know that is the standard mode of operation. However I believe there
are some ... hacks that can be applied on Linux that get extremely
creative with the routing table and use other skulduggery to fake the IP
address that INN (et al.) sees.
I'll do some more reading and poking with sticks. I don't know that the
systems in question have the necessary support installed; kernel
requirements, policy based routing, etc.
> TCP wrappers will allow only the right IPs.
That makes sense.
> I guess a firewall could also do the trick.? And also stunnel itself by
> the way, if it has native support of TCP wrappers (when built with the
> libwrap library), I've just read that in its documentation.
I believe that somewhere I recently read that TCP wrappers was being
deprecated. I have no idea where that was. Perhaps I should search for
it. -- Not that deprecation has prevented ifconfig / route / et al.
from being mainstream utilities some 20 years later. ;-)
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://lists.isc.org/pipermail/inn-workers/attachments/20211020/d6620234/attachment-0001.bin>
------------------------------
Subject: Digest Footer
_______________________________________________
inn-workers mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/inn-workers
------------------------------
End of inn-workers Digest, Vol 134, Issue 10
********************************************
