Firewalls: tcpd and httpd

Firewalls
(August 1996)

Indexed By Thread: [Previous] [Next]

Subject:	tcpd and httpd
From:	scoleman @ sewp . nasa . gov (Steve Coleman)
Date:	Thu, 29 Aug 1996 18:01:50 -0400
To:	Firewalls @ GreatCircle . COM
Reply-to:	scoleman @ sewp . nasa . gov (Steve Coleman)

Ok, I admit i'm a little stumped!  At least without pouring through the tcpd 
source code.  I have a situation where I am running a web service from inetd 
with tcp_wrapper, configured, tested, and verified operational.  In fact I test
it both internaly and externaly every time there is a change to the access
configuration.  Yesterday it started allowing access to one IP address range
for for a short period of time.  Included below is a portion of the syslogd
logs which seem to indicate one ISP seemed to gain access with no DNS reverse 
entry while other domains were bounced.

The strange thing is I know who the first one (152.163.231.155) was.  The 
second (152.163.231.172) was permitted access for a few minutes before finally
being rejected as the DNS reverse lookup began to work again for that domain.
We do have a few IP address allow entries as "xx.yy.zz." but they do not
represent the same address space, are all tested, and seem to be working as
advertized.  All other web access during this time period seemed to work
correctly (ie. permit/deny) during this time period and no binaries or
configuration files on the server seemed to have been touched.

Any ideas?

---------------- from syslogd logs ----------------------------------
Aug 28 20:31:25 hostname httpd[27823]: connect from 152.163.231.155
Aug 28 20:31:30 hostname httpd[27824]: connect from 152.163.231.155
Aug 28 20:31:30 hostname httpd[27825]: connect from 152.163.231.155
Aug 28 20:31:31 hostname httpd[27826]: connect from 152.163.231.155
Aug 28 20:32:09 hostname httpd[27827]: connect from 152.163.231.155
Aug 28 20:32:13 hostname httpd[27828]: connect from 152.163.231.155
Aug 28 20:32:14 hostname httpd[27829]: connect from 152.163.231.155
Aug 28 20:32:14 hostname httpd[27830]: connect from 152.163.231.155
Aug 28 20:32:25 hostname httpd[27831]: connect from 152.163.231.155
... lots of other stuff ... 
Aug 28 20:53:51 hostname httpd[27860]: refused connect from dial251.concom.com
Aug 28 20:53:53 hostname httpd[27861]: connect from 152.163.231.172
Aug 28 20:54:02 hostname httpd[27862]: connect from 152.163.231.172
Aug 28 20:54:02 hostname httpd[27863]: connect from 152.163.231.172
Aug 28 20:54:06 hostname httpd[27864]: connect from 152.163.231.172
Aug 28 20:55:23 hostname httpd[27879]: connect from 152.163.231.172
Aug 28 20:55:30 hostname httpd[27880]: refused connect from 
www-n2.proxy.aol.com
------------------------- end -----------------------------------------

Where:
   www-l5.proxy.aol.com    internet address = 152.163.231.155
   www-n2.proxy.aol.com    internet address = 152.163.231.172


Steve Coleman		scoleman @
 sewp .
 nasa .
 gov
vox: 301.286.7636       fax: 301.286.0317

Indexed By Date	Previous:	Re: Novell Vulnerabilities From: Marc Mosko <marc @ tear . com>
Indexed By Date	Next:	firewalls: apology (or "Well, Duh!" as my kids say) -Reply From: JAY TINGIRIS <JTINGIRIS @ gw . paradyne . com>
Indexed By Thread	Previous:	Re: Blocking non-http (executable) content From: Rick Smith <smith @ sctc . com>
Indexed By Thread	Next:	firewalls: apology (or "Well, Duh!" as my kids say) -Reply From: JAY TINGIRIS <JTINGIRIS @ gw . paradyne . com>