Debian Bug report logs -
#324788
tcpd: No way to block depending on socket options
Reported by: Teddy Hogeborn <teddy@recompile.se>
Date: Wed, 24 Aug 2005 00:18:02 UTC
Severity: wishlist
Found in version tcpd/7.6.dbs-8
Done: Marco d'Itri <md@linux.it>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#324788; Package tcpd.
(full text, mbox, link).
Acknowledgement sent to Teddy Hogeborn <teddy@fukt.bth.se>:
New Bug report received and forwarded. Copy sent to Anthony Towns <ajt@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tcpd
Version: 7.6.dbs-8
Severity: wishlist
I use IPsec. I would like to block connections to a service if the
client is not using IPsec (similar to only allowing IMAPS and not
IMAP). IPsec use can be detected by a socket option
(IP_IPSEC_POLICY). It would therefore be useful to me to be able to
specify required socket options on a socket and not only client
addresses.
The shell command options ("spawn" and "twist") are not adequate
because they run with /dev/null as stdin and stdout/stderr and have
no way to access the socket. There is also no way to predicate the
access on the result of such an external command.
I could, I suppose, use the "twist" option to run my own checker which
then runs the service (if allowed), but then there would be no need to
actually use the wrapper and I could just call the checker from inetd
directly. And I feel that tcpd is the proper place for this kind of
functionality.
Or maybe this is what the IPsec SPD is for, but I never found any
sensible documentation for that stuff.
/Teddy
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-686
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages tcpd depends on:
ii debconf [debconf-2.0] 1.4.30.13 Debian configuration management sy
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
-- debconf information:
tcpd/paranoid-mode: false
Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#324788; Package tcpd.
(full text, mbox, link).
Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Anthony Towns <ajt@debian.org>.
(full text, mbox, link).
Message #10 received at 324788@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Aug 24, Teddy Hogeborn <teddy@fukt.bth.se> wrote:
> I use IPsec. I would like to block connections to a service if the
> client is not using IPsec (similar to only allowing IMAPS and not
Send a patch, and test it well.
--
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#324788; Package tcpd.
(full text, mbox, link).
Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Anthony Towns <ajt@debian.org>.
(full text, mbox, link).
Message #15 received at 324788@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Aug 24, Marco d'Itri <md@Linux.IT> wrote:
> > I use IPsec. I would like to block connections to a service if the
> > client is not using IPsec (similar to only allowing IMAPS and not
> Send a patch, and test it well.
Do you have any plan to work on this?
--
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]
Bug closed, send any further explanations to Teddy Hogeborn <teddy@fukt.bth.se>
Request was from Marco d'Itri <md@linux.it>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#324788; Package tcpd.
(full text, mbox, link).
Acknowledgement sent to Teddy Hogeborn <teddy@fukt.bsnet.se>:
Extra info received and forwarded to list. Copy sent to Anthony Towns <ajt@debian.org>.
(full text, mbox, link).
Message #22 received at 324788@bugs.debian.org (full text, mbox, reply):
> > > I use IPsec. I would like to block connections to a service if
> > > the client is not using IPsec (similar to only allowing IMAPS
md@Linux.IT (Marco d'Itri) writes:
> > Send a patch, and test it well.
> Do you have any plan to work on this?
No. Should I have? I am not a programmer. I am reporting a
potentially useful missing feature, not volunteering to implement it.
This is what "wishlist" bugs are for, are they not?
Why are you closing the bug report? Have you forwarded this issue
upstream? Has upstream decided that the feature is a bad idea?
(Sorry for not replying, my email domain has changed.)
/Teddy
Information forwarded to debian-bugs-dist@lists.debian.org, Anthony Towns <ajt@debian.org>:
Bug#324788; Package tcpd.
(full text, mbox, link).
Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Anthony Towns <ajt@debian.org>.
(full text, mbox, link).
Message #27 received at 324788@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Aug 27, Teddy Hogeborn <teddy@fukt.bsnet.se> wrote:
> No. Should I have? I am not a programmer. I am reporting a
> potentially useful missing feature, not volunteering to implement it.
> This is what "wishlist" bugs are for, are they not?
> Why are you closing the bug report? Have you forwarded this issue
Because you are not going to implement it, I am not going to implement
it and apparently nobody else is.
So there is no reason for keeping around the bug for a feature request
which is not going to be implemented.
> upstream? Has upstream decided that the feature is a bad idea?
The upstream maintainer has not added new features in many many years.
--
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 19 Jun 2007 01:26:06 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Teddy Hogeborn <teddy@fukt.bsnet.se>
to control@bugs.debian.org.
(Sat, 29 Nov 2008 21:33:27 GMT) (full text, mbox, link).
Changed Bug submitter from Teddy Hogeborn <teddy@fukt.bth.se> to Teddy Hogeborn <teddy@fukt.bsnet.se>.
Request was from Teddy Hogeborn <teddy@fukt.bsnet.se>
to control@bugs.debian.org.
(Sat, 29 Nov 2008 21:33:30 GMT) (full text, mbox, link).
Bug archived.
Request was from Teddy Hogeborn <teddy@fukt.bsnet.se>
to control@bugs.debian.org.
(Sat, 29 Nov 2008 21:33:34 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Teddy Hogeborn <teddy@recompile.se>
to control@bugs.debian.org.
(Mon, 10 Oct 2011 08:04:44 GMT) (full text, mbox, link).
Changed Bug submitter to 'Teddy Hogeborn <teddy@recompile.se>' from 'Teddy Hogeborn <teddy@fukt.bsnet.se>'
Request was from Teddy Hogeborn <teddy@recompile.se>
to control@bugs.debian.org.
(Mon, 10 Oct 2011 08:04:46 GMT) (full text, mbox, link).
Bug archived.
Request was from Teddy Hogeborn <teddy@recompile.se>
to control@bugs.debian.org.
(Mon, 10 Oct 2011 08:04:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 1 13:13:47 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.