Hey Kelly,
Do you have clx defined in your inetd.conf? When someone telnets in, then
they would have to know which port to which to telnet unless you set it up
so that the normal telnet port send them to another program. On mine, I
send the normal telnet program to the node program.
The following entries are in my inetd.conf:
telnet stream tcp nowait root /usr/bin/node node
mytelnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
These entries are in my services:
telnet 23/tcp
telnet 23/udp
mytelnet 26/tcp
mytelnet 26/udp
You must keep telnet as port 23 in the services file or you won't be able to
telnet out. You need to make another telnet called mytelnet that is used to
telnet in on. If you telnet to your box, it has to be on port 26 in this
configuration.
I use the node command as my front end because it will validate a call sign,
but won't let them do much with a fake. Also, I didn't want a bunch of one
time connections coming in and creating permanent logins on the fly.
By doing it this way, you would put something like:
telnet: all
in your hosts.allow file. This would let them come in as telnet, but it
would redirect them to the node program.
73's
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Monday, June 21, 1999 9:52 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: hosts.allow
>
>
> Hi Jim,
>
> Well, here in lies the problem. What you are suggesting
> would work, except
> for the fact that I *don't* know where the telnet to the
> gateway sessions
> will be coming from. They can come from anywhere: *.ampr.org, *.net
> *.com, *.edu, etc.
>
> The hosts.allow file takes precedent over the hosts.deny file. By
> disallowing everything in hosts.deny, one is then able to
> allow small holes
> by using the hosts.allow file.
>
> For example, I do not want the entire world to have ftp,
> telnet, finger,
> etc access to my boxes. Hence, I deny *everyone* all access.
> By using the
> hosts.allow file, I can then open up very specific small
> holes for specific
> services/hosts.
>
> I was hoping to be able to do the same with CLX. I really
> don't want to
> leave all services open to the entire world just to allow a
> connection to
> the gateway.
>
> Does this make any sense?
>
> At 09:31 PM 6/21/99 -0400, you wrote:
> >Hey Kelly,
> >
> > Disregard my last message. I did a "man -S5
> hosts_access" and it explained
> >how all this works. Your hosts.allow file should look more like the
> >following:
> >
> >ALL: .ampr.org
> >
> >This would allow all of the hosts in ampr.org domain to get
> in. Keep in
> >mind that the entries in this file are hosts, not groups.
> Also, you will
> >probably have to have a DNS to verify that the user
> telnetting in is in the
> >allowed domain.
> >
> >73's
> >Jim
> >
> >
> >> -----Original Message-----
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED]]On Behalf Of Kelly Jones
> >> Sent: Monday, June 21, 1999 6:23 PM
> >> To: [EMAIL PROTECTED]
> >> Subject: hosts.allow
> >>
> >>
> >> Hello everyone,
> >>
> >> I have a question regarding hosts.allow/hosts.deny when
> >> opening a "direct"
> >> telnet port to CLX.
> >>
> >> I want to put into place a set of hosts.allow/hosts.deny
> >> files to help with
> >> security. However, when I add these files into the /etc
> >> directory, I loose
> >> the ablity to "telnet" to the CLX gateway port. I get a
> "connection
> >> refused".
> >>
> >> This is the response I would expect to get after "locking
> >> out" hosts. Is
> >> there a way to open the "hole" needed to directly telnet
> to a CLX node
> >> gateway with a set of hosts.allow/hosts.deny in place.
> >>
> >> I have tried adding clxd:ALL and clx:ALL in the allow file,
> >> but that does
> >> not do the trick.
> >>
> >> Just to avoid confusion, I only place known services:hosts in
> >> the allow
> >> file, while the deny file currently has ALL:ALL. I only want
> >> to open the
> >> smallest hole possible.
> >>
> >> Thanks for help,
> >> Kelly - KE9KD
> >> http://www.dx-central.com
> >>
> >> -----------------------------------------------------------
> >>
> >> __ __ ____
> >> / //_/__ / / /_ __ Sullivan & Associates
> >> / ,< / _ \/ / / / / / [EMAIL PROTECTED]
> >> / /| / __/ / / /_/ /_ www.sullivan1.com
> >> /_/ |_\___/_/_/\__, / /___ ____ ___ _____
> >> /____/ / __ \/ __ \/ _ \/ ___/
> >> //// / /_/ / /_/ / / / / __(__ )
> >> (o o) \____/\____/_/ /_/\___/____/
> >> --oOOo-(_)-oOOo--------------------------------------------
> >>
> >>
> >>
> >
>
>
