netbsd-help: Re: Need help with TCP wrappers

Subject: Re: Need help with TCP wrappers
To: None <netbsd-help@netbsd.org>
From: Frederick Bruckman <fredb@immanent.net>
List: netbsd-help
Date: 02/14/2005 20:18:30
In article <Pine.NEB.4.61.0502131814090.210@seduction.immanent.net>,
	Frederick Bruckman <fredb@immanent.net> writes:
> Is any else successfully using the "twist" option to TCP wrappers?
> 
> I'd like to use it to control the rejection message for sendmail, but 
> I can't figure it out. If I put ": twist /bin/echo ...." after 
> "sendmail: ALL except ... " in "hosts.allow", it seems to reject 
> everything with the twist message *except* the exceptions. If I have 
> no entry for "sendmail" in "hosts.allow", but have "sendmail: ... : 
> twist ...", everything gets rejected with a generic message (contrary 
> to the docs), but if I add "sendmail: ALL" to "hosts.allow", then 
> everything would get accepted, wouldn't it?

Following up to my own post, the problem is that the "default DENY"
breaks the nice description in the hosts.allow(5) man page.  The
following almost works:

-- hosts.allow ------------------
sendmail: ALL except \
	< others > \
	201.0.0.0/255.240.0.0

-- hosts.deny ------------------
sendmail: ALL \
	: twist /bin/echo '450 4.7.0 Access denied to your host (%a)'

It, however, fills maillog with warnings of "Bad file descriptor"...

Feb 14 13:54:38 tautology sm-mta[29379]: twist 201-1-117-7.dsl.telesp.net.br to /bin/echo '450 4.7.0 Access denied to your host (201.1.117.7)'
Feb 14 13:54:38 tautology sm-mta[29379]: warning: /etc/hosts.deny, line 2: twist_option: dup: Bad file descriptor
Feb 14 13:54:38 tautology sm-mta[633]: twist 201-1-117-7.dsl.telesp.net.br to /bin/echo '450 4.7.0 Access denied to your host (201.1.117.7)'
Feb 14 13:54:38 tautology sm-mta[2794]: twist 201-1-117-7.dsl.telesp.net.br to /bin/echo '450 4.7.0 Access denied to your host (201.1.117.7)'
Feb 14 13:54:38 tautology sm-mta[2794]: warning: /etc/hosts.deny, line 2: twist_option: dup: Bad file descriptor
Feb 14 13:54:38 tautology sm-mta[633]: warning: /etc/hosts.deny, line 2: twist_option: dup: Bad file descriptor
Feb 14 13:54:38 tautology sm-mta[207]: twist 201-1-117-7.dsl.telesp.net.br to /bin/echo '450 4.7.0 Access denied to your host (201.1.117.7)'
Feb 14 13:54:38 tautology sm-mta[207]: warning: /etc/hosts.deny, line 2: twist_option: dup: Bad file descriptor
Feb 14 13:54:57 tautology sm-mta[28255]: twist 201-1-117-7.dsl.telesp.net.br to /bin/echo '450 4.7.0 Access denied to your host (201.1.117.7)'
Feb 14 13:54:57 tautology sm-mta[28255]: warning: /etc/hosts.deny, line 2: twist_option: dup: Bad file descriptor

and worse, the client host doesn't get the message, which partly
explains why the poor unfortunate spam robot made six attempts!
Here's a dialog from a host that I blacklisted for the test:

 telnet mail 25
 Trying 209.100.230.148...
 Connected to mail.immanent.net.
 Escape character is '^]'.
 Connection closed by foreign host.

So, if anyone is actually using tcp wrappers with sendmail, I would
still be interested in seeing practical examples.


Frederick