Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.mel.connect.com.au!news.mira.net.au!vic.news.telstra.net!act.news.telstra.net!psgrain!usenet.eel.ufl.edu!news.mathworks.com!nntp.primenet.com!news.cais.net!news.fc.net!not-for-mail From: kevintx@ministry.paranoia.com (Kevin at Paranoia) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: ftpd access control by IP Date: 13 Sep 1996 21:01:58 GMT Organization: the Paranoid just know what's going On Lines: 25 Message-ID: <51ci46$2c6@villa.fc.net> References: <323836DC.794BDF32@corpex.com> NNTP-Posting-Host: ministry.paranoia.com X-Newsreader: TIN [UNIX 1.3 950824BETA PL0] Neil Fowler Wright (neil@corpex.com) wrote: : Can you get an ftpd process to control access to the machine by : source IP number without using a firewall? Maybe I don't get exactly what you're looking to do, but it sounds like the job that tcp_wrappers (tcpd) was made for. Instead of running ftpd directly in inetd.conf, you have inetd run tcpd with the real server's location/options as the argument. tcpd can optionally allow or deny access to the (ftp in this case) daemon based on the other end's DNS name, IP address, an ident response identifying a particular user on some other host, etc. as well as combinations of these methods. Rather than just hang up on disallowed connections, you can even have it run an alternative program in place of the real daemon based on the incoming connection. It's been included on every linux distribution I've seen over the last 2 years, but I don't see it offhand on a FreeBSD 2.1.0-RELEASE machine that I use. It's on (particularly security-oriented) FTP archives near you or ftp.win.tue.nl:/pub/security is the author's site. take care, kevin -- kevintx@ministry.paranoia.com (personal priority mail address) <a href="http://www.paranoia.com/"> got nothing better to do? </a> "The Internet interprets the US Congress as damage and routes around it"