[CentOS] Re: What libs req'd to resolve DNS within a chroot jail?

Mon Jan 14 18:53:33 UTC 2008
William L. Maltby <CentOS4Bill at triad.rr.com>

On Mon, 2008-01-14 at 12:54 -0500, Eric B. wrote:
> > >
> > > I've been working at getting a tftp server up an running in a
> > > chroot jail, and I have finally succeed getting almost everything
> > > working.<snip>

> > i.e., putting an fqdn in the hosts.allow file only gives security by
> > obscurity. if someone figures out the fqdns that you're giving access
> > to, and has control of the in-addr.arpa for an ipnumber range they
> > can connect from, they can gain access to your system.
> >
> > - Rick
> 
> 
> 
> Thanks for the feedback Rick.  I didn't realize that security implication. 
> However I'm already running this on a machine that is heavily firewalled on 
> a VPN so I am fairly sure that no one will be accessing this externally, but 
> I still would like to restrict access to particular machines.  Ideally, 
> would rather use FQDN to make life easier for me to administer.  I have 
> created my additional reverse-dns pointer but I am still having problems 
> with it.
> 
> nslookup from the server gives me:
> # nslookup 192.168.3.103
> Server:         192.168.1.67
> Address:        192.168.1.67#53
> 
> 103.3.168.192.in-addr.arpa    name = eric.test.com.3.168.192.in-addr.arpa.
> 
> 
> However, when I try to connect to the tftp server, my connection is still 
> refused, and I get the following in the log msgs:
> 
> Jan 14 12:49:19 apollo atftpd[15302]: Connection refused from 
> 192.168.103.103
> 
> 
> I am obviously doing something still incorrect, but not sure what.
> 
> Can you help point me in the right direction please?  Is my reverse DNS 
> incorrectly set up?

Have you checked the firewall settings on the target machine? IIRC, long
ago when I was doing some sharing, I tested if it was firewall by
disabling firewall on the target (inside a private net, no/low risk)
temporarily and it worked. That clued me to get my iptables adjusted to
allow my local net denizens have access to a small set of services.

> 
> Thanks,
> 
> Eric
> <snip sig stuff>

HTH
-- 
Bill