>From: Erick Lorenz <address@hidden> >Organization: UC Davis >Keywords: 200102020159.f121xaX03428 security Erick, re: ADDE uses ports 500 and 503 The topic is setting up TCP wrappers for the ports that McIDAS ADDE uses for data transfers. >My man page for hosts.allow and hosts.deny describes an entry as being of >the form: > > <daemon_list> : <client_list> : [ <shell_command> ] > >e.g. > > in_ftpd in_telnetd : 192.192. > >I am not sure how to designate a port number in this syntax. (but then >I am rather fuzzy on the whole issue of ports anyway) The designation of a port is indirect. The port is picked up by virtue of the service-port pair in /etc/services. For McIDAS ADDE this will look like: mcserv 500/tcp mccompress 503/tcp You might think, therefore, that the hosts.allow line would look something like: mcserv: 192.192. ** but it doesn't** Instead, the single entry in hosts.allow that wll specify the list of IPs allowed to connect using either port that McIDAS ADDE communicates on is: mcservsh: <IP mask/list> The revised /etc/inetd.conf entry that sets up use of TCP wrappers is: mcserv stream tcp nowait mcadde /usr/sbin/tcpd /home/mcidas/bin/mcservsh -H /home/mcidas mccompress stream tcp nowait mcadde /usr/sbin/tcpd /home/mcidas/bin/mcservs h -H /home/mcidas From these entries it is more clear that the service you are telling the TCP wrappers to control is mcservsh: /usr/sbin/tcpd /home/mcidas/bin/mcservsh ^ ^______ the service to control |______________________________ the TCP wrapper So, if you are setting up TCP wrappers on your machine for McIDAS ADDE, you will need to modify both /etc/inetd.conf (and then send inetd a HUP signal) and /etc/hosts.allow. Please let me know if my explanation is satisfactory. If it isn't (I am no expert either), I will get our system administrator to provide the correct (:-) explanation. Tom
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.