[CentOS] Re: What libs req'd to resolve DNS within a chroot jail?
William L. Maltby
CentOS4Bill at triad.rr.com
Mon Jan 14 18:53:33 UTC 2008
On Mon, 2008-01-14 at 12:54 -0500, Eric B. wrote:
> > >
> > > I've been working at getting a tftp server up an running in a
> > > chroot jail, and I have finally succeed getting almost everything
> > > working.<snip>
> > i.e., putting an fqdn in the hosts.allow file only gives security by
> > obscurity. if someone figures out the fqdns that you're giving access
> > to, and has control of the in-addr.arpa for an ipnumber range they
> > can connect from, they can gain access to your system.
> >
> > - Rick
>
>
>
> Thanks for the feedback Rick. I didn't realize that security implication.
> However I'm already running this on a machine that is heavily firewalled on
> a VPN so I am fairly sure that no one will be accessing this externally, but
> I still would like to restrict access to particular machines. Ideally,
> would rather use FQDN to make life easier for me to administer. I have
> created my additional reverse-dns pointer but I am still having problems
> with it.
>
> nslookup from the server gives me:
> # nslookup 192.168.3.103
> Server: 192.168.1.67
> Address: 192.168.1.67#53
>
> 103.3.168.192.in-addr.arpa name = eric.test.com.3.168.192.in-addr.arpa.
>
>
> However, when I try to connect to the tftp server, my connection is still
> refused, and I get the following in the log msgs:
>
> Jan 14 12:49:19 apollo atftpd[15302]: Connection refused from
> 192.168.103.103
>
>
> I am obviously doing something still incorrect, but not sure what.
>
> Can you help point me in the right direction please? Is my reverse DNS
> incorrectly set up?
Have you checked the firewall settings on the target machine? IIRC, long
ago when I was doing some sharing, I tested if it was firewall by
disabling firewall on the target (inside a private net, no/low risk)
temporarily and it worked. That clued me to get my iptables adjusted to
allow my local net denizens have access to a small set of services.
>
> Thanks,
>
> Eric
> <snip sig stuff>
HTH
--
Bill
More information about the CentOS
mailing list