stunnel and hosts.allow

Hi, This may be a little bit off-topic, but does anyone here use stunnel with pan? My connections to stunnel (in pan) are always refused by libwrap. I was looking for the right rule to add to /etc/hosts.allow but nothing seems to work aside from "ALL : ALL" (which is obviously not good) and "nntps: KNOWN". Is the latter reasonable? The hosts_access(5) manpage is confusing to say the least. It mentions that daemon (the first token on any line) is the name of the daemon running the process, which would be "stunnel" in my case, but using "stunnel : LOCAL" or even "stunnel : ALL" doesn't work. The rule that seems to work, as mentioned, is "nntps : KNOWN" ("nntps" being the group name in stunnel.conf). What's even more confusing to me is that "nntps : LOCAL" does not work either. Nor does "nntps : localhost 127.0.0.1", "nntps : localhost", "nntps : 127.0.0.1", or "nntps : 192.168.1.". Pan is running on the same machine as stunnel so all connections must be coming from localhost. Why do these rules not trigger? Either way, I'd like to know the "least permissive" hosts.allow rule that would allow me to connect to my news provider from pan, and/or whether "nntps : KNOWN" is a safe option. Thanks, Yousef

Yousef, You should use the same service name you put in your config file. For example, if you have: ... [pan] accept=888 connect=localhost:444 .. Then you put pan: in your hosts.allow Regards, Jose -----Original Message----- From: Yousef Alhashemi <[email protected]> Sender: [email protected] Date: Wed, 18 May 2011 11:31:03 To: <[email protected]> Subject: [stunnel-users] stunnel and hosts.allow _______________________________________________ stunnel-users mailing list [email protected] http://stunnel.mirt.net/mailman/listinfo/stunnel-users

You should use the same service name you put in your config file. For example, if you have:
... [pan] accept=888 connect=localhost:444 ..
Then you put pan: in your hosts.allow
Thanks, I figured that part out (as stated in my first message). I was just wondering why something like "nntps : LOCAL" or "nntps : localhost" doesn't work (I have [nntps] in stunnel.conf). ~Yousef

Did you try something like nntps : LOCAL EXCEPT PARANOID -- Best regards, Jörg-Volker.

2011/5/19 Jörg-Volker Peetz <[email protected]> Did you try something like
nntps : LOCAL EXCEPT PARANOID
I tried this but it doesn't work (and it's more restricting than a plain "LOCAL" anyway). But I figured it out. "LOCAL", as per the manpage, accepts any hostname that doesn't contain a dot in it. I'm so used to using "localhost" alone that I forgot that my full local hostname is rather localhost.localdomain, not localhost. I rarely use the full hostname. For example, even in most log files my hostname is usually listed as just "localhost". Anyway, "nntps: localhost.localdomain" fixed it for me. Sorry for the noise. ~Yousef

Yes, you are right. "LOCAL EXCEPT PARANOID" is more restricting than a plain "LOCAL". And thank you for reporting your solution and the explanation. -- Best regards, Jörg-Volker. Yousef Alhashemi wrote, on 05/22/11 23:45:
2011/5/19 Jörg-Volker Peetz <[email protected] <mailto:[email protected]>>
Did you try something like
nntps : LOCAL EXCEPT PARANOID
I tried this but it doesn't work (and it's more restricting than a plain "LOCAL" anyway). But I figured it out. "LOCAL", as per the manpage, accepts any hostname that doesn't contain a dot in it. I'm so used to using "localhost" alone that I forgot that my full local hostname is rather localhost.localdomain, not localhost. I rarely use the full hostname. For example, even in most log files my hostname is usually listed as just "localhost".
Anyway, "nntps: localhost.localdomain" fixed it for me. Sorry for the noise.
~Yousef
_______________________________________________ stunnel-users mailing list [email protected] http://stunnel.mirt.net/mailman/listinfo/stunnel-users

On May 23, 2011 10:27 AM, "Jörg-Volker Peetz" <[email protected]> wrote:
Yes, you are right. "LOCAL EXCEPT PARANOID" is more restricting than a
plain
"LOCAL". And thank you for reporting your solution and the explanation.
Very funny. Ha. Ha. Ha. ~Yousef
-- Best regards, Jörg-Volker.
Yousef Alhashemi wrote, on 05/22/11 23:45:
2011/5/19 Jörg-Volker Peetz <[email protected] <mailto:[email protected]>>
Did you try something like
nntps : LOCAL EXCEPT PARANOID
I tried this but it doesn't work (and it's more restricting than a plain "LOCAL" anyway). But I figured it out. "LOCAL", as per the manpage, accepts any hostname that doesn't contain a dot in it. I'm so used to using "localhost" alone that I forgot that my full local hostname is rather localhost.localdomain, not localhost. I rarely use the full hostname. For example, even in most log files my hostname is usually listed as just "localhost".
Anyway, "nntps: localhost.localdomain" fixed it for me. Sorry for the noise.
~Yousef
_______________________________________________ stunnel-users mailing list [email protected] http://stunnel.mirt.net/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list [email protected] http://stunnel.mirt.net/mailman/listinfo/stunnel-users
participants (3)
-
josealf@rocketmail.com
-
Jörg-Volker Peetz
-
Yousef Alhashemi