Am 10.09.2011 19:21, schrieb a.smith@stripped:
> Hi Walter/all,
> ok nailed it, the issue is the default hosts.allow installed on FreeBSD, and
> specifically the last section that
> denies everything. By default it looks like this:
> # The rest of the daemons are protected.
> ALL : ALL \
> : severity auth.info \
> : twist /bin/echo "You are not welcome to use %d from %h."
> The twist command breaks it. In theory this is just meant to send a custom message
> back to the application calling
> the tcp wrapper library. I'm not sure if this should work in theory or not, but the
> twist command is also meant to
> close the connection so possibly the behaviour I see is normal and just not
> compatible with MySQL.
> Anyway, its not a great default for FreeBSD given that MySQL also installs by default
> with support for tcp
> wrappers. The two together results in a broken configuration.
well, and that is why i said nobody is using hosts.allow in real life
if you want to protect anything use packet-filters
i have seen so many peopole typing something in hosts.allow and not
realizing that the service is not using tcp-wrappers which means
there is no protection - additionaly most peopole doe snot test
their configurations really well
the point of "not testing configurations" affects you too because
if you would have tested this the issue would have been happened
after the first connection long before go in production
Attachment: [application/pgp-signature] OpenPGP digital signature signature.asc