Operating System - HP-UX
1823985 Members
4099 Online
109667 Solutions
New Discussion юеВ

TCPWrapper hosts.allow file - correct syntax for IP Range

 
SOLVED
Go to solution
ConnieK
Regular Advisor

TCPWrapper hosts.allow file - correct syntax for IP Range

This is probably an easy question for all you experts! I have searched and cannot find an exact answer to this.

I need to add a range of IP's to my hosts.allow file and I need the correct syntax. What I have now is (example only) 194.2.55.:80-105

Should it be 194.2.55.80-105: ?

Thanks in advance!


Independent by nature
9 REPLIES 9
Patrick Wallek
Honored Contributor

Re: TCPWrapper hosts.allow file - correct syntax for IP Range

I have just been experimenting with IP ranges and I have not been able to get it to work. The only thing I have gotten to work is:

sshd: 1.2.3.4,1.2.3.5,1.2.3.6

I tried:

sshd: 1.2.3.4-6

sshd: 1.2.3.4,5,6

sshd: 1.2.3.[4-6]

And none of them worked. Only fully stating all addresses and separating with commas worked for me.

Not what you wanted to hear, I'm sure.
ConnieK
Regular Advisor

Re: TCPWrapper hosts.allow file - correct syntax for IP Range

Patrick,

True, true - not what I wanted to hear. 8-(

Nuts! I didn't really want to enter 35 separate addresses.
Independent by nature
A. Clay Stephenson
Acclaimed Contributor

Re: TCPWrapper hosts.allow file - correct syntax for IP Range

No real admin would enter 35 addresses; that's what a few lines of shell scripting are for. What you may be able to do, depending upon your exact range of addresses (rather than your example range), is specify a net/mask pair. Man 5 hosts_access for details.
If it ain't broke, I can fix that.
ConnieK
Regular Advisor

Re: TCPWrapper hosts.allow file - correct syntax for IP Range

Clay -

Tried - see?

# man 5 hosts_access
No entry for hosts_access in section 5 of the manual.

Guess I'n not a "TRUE" admin
Independent by nature
A. Clay Stephenson
Acclaimed Contributor
Solution

Re: TCPWrapper hosts.allow file - correct syntax for IP Range

I suspect that you did not install the man pages when you installed tcp_wrapper or that the man pages are not in your MANPATH.

Here is an excerpt of the relevant section:


PATTERNS
The access control language implements the following patterns:

+ A string that begins with a `.' character. A host name is matched
if the last components of its name match the specified pattern.
For example, the pattern `.tue.nl' matches the host name
`wzv.win.tue.nl'.

+ A string that ends with a `.' character. A host address is
matched if its first numeric fields match the given string. For
example, the pattern `131.155.' matches the address of (almost)
every host on the Eindhoven University network (131.155.x.x).

+ A string that begins with an `@' character is treated as an NIS
(formerly YP) netgroup name. A host name is matched if it is a
host member of the specified netgroup. Netgroup matches are not
supported for daemon process names or for client user names.

+ An expression of the form `n.n.n.n/m.m.m.m' is interpreted as a
`net/mask' pair. A host address is matched if `net' is equal to
the bitwise AND of the address and the `mask'. For example, the
net/mask pattern `131.155.72.0/255.255.254.0' matches every
address in the range `131.155.72.0' through `131.155.73.255'.

----------------------------------------

Here is how I would generate your range of addresses:

#!/usr/bin/sh

typeset -i10 A=85
typeset -i10 STOP=105
BASEIP="194.2.55."
COMMAND="sshd"
echo "${COMMAND}: ${BASEIP}${A}\c"
((A += 1))
while [[ ${A} -le ${STOP} ]]
do
echo ",${BASEIP}${A}\c"
((A += 1))
done
echo

If it ain't broke, I can fix that.
ConnieK
Regular Advisor

Re: TCPWrapper hosts.allow file - correct syntax for IP Range

Clay,

You're right. The man pages for TCPWrappers were not in the /etc/MANPATH - I think because we install this program in /usr/local and we don't include that path for root. Thank you for the excerpt from the man pages. The script will be useful to have regardless of what I need to do.

Points on the way.
Independent by nature
Todd McDaniel_1
Honored Contributor

Re: TCPWrapper hosts.allow file - correct syntax for IP Range

Here is a good link for some syntax...

http://ezine.daemonnews.org/200206/hosts_allow.html
Unix, the other white meat.
A. Clay Stephenson
Acclaimed Contributor

Re: TCPWrapper hosts.allow file - correct syntax for IP Range

The syntax suggested by Todd only applies to the enhanced version of tcp_wrappers which is not the default available from the HP-UX Porting Centre's. However, you can download the source and enable the
STYLE = -DPROCESS_OPTIONS Makefile (actually uncomment the line) entry and then you have the extended options. This is actually my approach to tcp_wrappers.

Since we are now in the realm of extended hosts.allow syntax there is a way to do what you want:

Create an entry that looks like this:

remsh : ALL : twist /mydir/myfile.sh %a && exec /usr/lbin/remshd -l

Note that we let any remotehost in but we first execute /mydir/myfile.sh. %a is the client's IP address and only if it exits with a zero status (because of the &&) does it then exec remshd. Your IP ranges are then controlled within /mydir/myfile.sh and it can also process other arguments that you choose to supply like username (%u). The 'twist' argument allows you to apply very powerful rules.


If it ain't broke, I can fix that.
ConnieK
Regular Advisor

Re: TCPWrapper hosts.allow file - correct syntax for IP Range

Todd & Clay - Thanks for the guides. Will use for future reference.
Independent by nature