Mailing List Archive

Bryan,

A reverse lookup on the connecting IP shows the FQDN as host.mydomain.com.

Here's the debug output (grep'd for AccType)...

[Mon Nov 3 17:09:04 2003] conserver (15751): DEBUG: [access.c:147] AccType(): ip=172.16.72.207
[Mon Nov 3 17:09:04 2003] conserver (15751): DEBUG: [access.c:152] AccType(): who=127.0.0.1, tr
ust=a
[Mon Nov 3 17:09:04 2003] conserver (15751): DEBUG: [access.c:152] AccType(): who=mydomain.com,
trust=a
[Mon Nov 3 17:09:05 2003] conserver (15751): ERROR: AccType(): gethostbyname(mydomain.com): hos
t lookup error
[Mon Nov 3 17:09:05 2003] conserver (15751): DEBUG: [access.c:152] AccType(): who=newdomain.com
, trust=a
[Mon Nov 3 17:09:06 2003] conserver (15751): ERROR: AccType(): gethostbyname(newdomain.com): ho
st lookup error

For grins, here's the access entry...

access * {
allowed 127.0.0.1 ;
allowed mydomain.com ;
allowed newdomain.com ;
}

Using shortname, fqdn, ipaddress/mask, and exact ip all work. I've also
tried the entries all behind one 'allowed'.

-dolan


On Sat, 1 Nov 2003, Bryan Stansell wrote:

> Date: Sat, 1 Nov 2003 05:38:17 -0800
> From: Bryan Stansell <bryan@conserver.com>
> To: users@conserver.com
> Subject: access control problem (was Re: conserver-8.0.5 is available)
>
> On Fri, Oct 31, 2003 at 06:14:01PM -0500, Michael Dolan wrote:
> > Recently upgraded to 8.0.4 (and now 8.0.5) from 7.2.7 and cannot get
> > acls for host access control to work properly. Configured with
> > --with-trustrevdns and specifying the domain names in conserver.cf,
> > but only get error (and refused connections). FQDN and IPaddrs work
> > fine. The conserver host can reverse lookup the FQDN properly.
>
> well, sounds like you're doing the right thing. --with-trustrevdns
> is necessary for it to work at all. if you run in debug mode and grep
> out all the messages with AccType, we'd be able to see what it's doing
> and why it isn't allowing the connection (a bit better).
>
> i do realize there's a problem with the logic used, and maybe that's the
> issue. if you have a 'rejected' acl, that happen to match, after the
> domain acl, the reject acl will be processed before the domain acl and
> you'd get rejected. things need to be adjusted so that all acls are
> processed in order - i goofed and didn't realize the impact when
> removing the reverse dns trust bits and then adding them back.
>
> but, the debug info would tell us what's going on.
>
> but
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users
>

On Mon, Nov 03, 2003 at 06:22:57PM -0500, Michael Dolan wrote:
> Using shortname, fqdn, ipaddress/mask, and exact ip all work. I've
> also tried the entries all behind one 'allowed'.

well, i don't see any messages coming from the debug line that's inside
the '#if TRUST_REVERSE_DNS' section. you might want to try and do a
'make clean' and then another 'make', in case something didn't get
re-compiled (access.c, really). what i'm looking for is a debug line
from AccType() mentioning 'name='.

another thing we can try is adding this:

CONDDEBUG((1, "AccType(): TRD w=%s, t=%c", pACtmp->pcwho, pACtmp->ctrust));

between lines 218 and 219 of access.c (just after the for loop on 218).
that will make sure we get a debug statement from that set of code no
matter what (assuming it gets compiled in and the access list isn't
NULL). if you don't see that or a gethostbyaddr() error, the code isn't
getting compiled in.

heck, to really make sure it's getting compiled in, add

CONDDEBUG((1, "AccType(): WE TRUST REVERSE DNS"));

just after the comments at line 210 of access.c. then compile that
sucker, run it, and grep out AccType() debug messages.

i think i'll add a 'trustrevdns' message in the 'options:' list of the
-V output too...just because.

anyway, let me know how it goes and what you see. this really should be
working with the access list you have.

Bryan

> anyway, let me know how it goes and what you see. this really should be
> working with the access list you have.

Yeah, that is what I thought too ;)

I've added the debug lines, made clean, made and tested...

./conserver -V

cons-server:/local/tools/conserver% ./sbin/conserver -V
conserver: conserver.com version 8.0.5
conserver: default access type `r'
conserver: default escape sequence `^Ec'
conserver: default configuration in `/local/tools/conserver/etc/conserver.cf'
conserver: default password in `/local/tools/conserver/etc/conserver.passwd'
conserver: default logfile is `/var/log/conserver'
conserver: default pidfile is `/var/run/conserver.pid'
conserver: default limit is 16 members per group
conserver: default primary port referenced as `782'
conserver: default secondary base port referenced as `0'
conserver: options: openssl
conserver: openssl version: OpenSSL 0.9.7c 30 Sep 2003
conserver: built with `./configure --prefix=/local/tools/conserver --with-regex --with-port=782 --with-openssl=/export/software/conserver/openssl --with-master=console --with-trustrevdns'

And the results performing the same test as before:

conserver started as "conserver -dvD"

[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [access.c:147] AccType(): ip=172.16.72.207
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [access.c:152] AccType(): who=127.0.0.1, trust=a
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [util.c:324] AllocString(): 0x136620 created string #25
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [access.c:121] AddrCmp(): host=95b348cf(95b348cf/ffffffff) acl=7f000001(7f000001/ffffffff)
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [access.c:152] AccType(): who=mydomain.com, trust=a
[Tue Nov 4 09:38:10 2003] conserver (29275): ERROR: AccType(): gethostbyname(mydomain.com): host lookup error
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [access.c:152] AccType(): who=newdomain.com, trust=a
[Tue Nov 4 09:38:10 2003] conserver (29275): ERROR: AccType(): gethostbyname(newdomain.com): host lookup error
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [access.c:152] AccType(): who=other.newdomain.com, trust=a
[Tue Nov 4 09:38:10 2003] conserver (29275): ERROR: AccType(): gethostbyname(other.newdomain.com): host lookup error
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [access.c:211] AccType(): WE TRUST REVERSE DNS
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [access.c:220] AccType(): TRD w=127.0.0.1, t=a
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [access.c:220] AccType(): TRD w=mydomain.com, t=a
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [access.c:220] AccType(): TRD w=newdomain.com, t=a
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [access.c:220] AccType(): TRD w=other.newdomain.com, t=a
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [util.c:324] AllocString(): 0x136640 created string #26
[Tue Nov 4 09:38:10 2003] conserver (29275): DEBUG: [util.c:298] DestroyString(): 0x129798 string destroyed (count==25)