This is the mail archive of the cygwin-announce mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Updated: tcp_wrappers-7.6-4 [New: libwrap-devel-7.6-4, libwrap0-7.6-4]


tcp_wrappers provides host-based access restrictions on tcp services: facilities for monitoring and filtering incoming requests for the SSHD, SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services.

The package provides a tiny daemon wrapper program that can be installed without any changes to existing software or to existing configuration files. The wrappers report the name of the client host and of the requested service; the wrappers do not exchange information with the client or server applications, and impose no overhead on the actual conversation between the client and server applications.

:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:

Changes in 7.6-4 since 7.6-2 (-3 unreleased)

* new maintainer
* Switch to cygport build tool
* incorporate debian patches -- see below
* build shared library
* split into multiple packages

!!!! ---- IMPORTANT ---- !!!!
END USERS: the new package is compiled WITHOUT -DPARANOID (which enforces remote-host IP address and remote-host name agreement). This is Debian policy, because the paranoid behavior can be enabled at runtime (flexibility is good). This package will install a version of /etc/hosts.allow that re-enables paranoid behavior -- but only if /etc/hosts.allow doesn't exist.


If you are upgrading, then you will "lose" paranoid behavior. To re-enable it, add the following line to /etc/hosts.allow:
ALL : PARANOID : DENY


(btw, paranoia is not /always/ a good thing, even in this context)

!!!! ---- IMPORTANT ---- !!!!
DEVELOPERS: see the note about STRONGSYMS, below.

:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:

Incorporates the Debian extensions:

* cygwrap-0.dll and libwrap.dll.a are available for dynamic linking.

    * You can blacklist a whole bunch of hosts at once by specifying a
      file that contains a list of those hosts instead of just naming
      a host. See the hosts_access(5) manpage.

    * You can allow or disallow access to a service depending on the
      exit status of a program. See the hosts_access(5) manpage.

* CIDR support in hosts_access(5) functions.

* %r and %R parameters in hosts_access(5) functions.

* Servers can be matched by port number other than by process name.

    * IPv6 support: patches are applied, but support is NOT enabled.
      Waiting on IPv6 support in cygwin.

* manpages for installed tools not provided by upstream source

Build options (that differ from previous releases)
--------------------------------------------------

STYLE = "-DPROCESS_OPTIONS -DACLEXEC"

        Debian TCP Wrappers use the extended syntax for /etc/hosts.allow
        and /etc/hosts.deny. This particularly affects spawning other
        commands on connections, see the hosts_options(5) manpage for
        more details.

FACILITY        = LOG_DAEMON
SEVERITY        = LOG_INFO

        TCP Wrappers logs as daemon.info (rather than mail.info).
        This is a change from earlier cygwin releases of tcp_wrappers.

VSYSLOG =

        cygwin has vsyslog built in, since 1.5.6/2004Jan19
        (patch applied 2003Sep29)

UMASK           = -DDAEMON_UMASK=022
NETGROUP        =

RFC931_TIMEOUT  = 10
ACCESS          = -DHOSTS_ACCESS
TABLES          = -DHOSTS_DENY=\"/etc/hosts.deny\"
                  -DHOSTS_ALLOW=\"/etc/hosts.allow\"
KILL_OPT        = -DKILL_IP_OPTIONS

LIBS = -lresolv

        As it turns out, this library is unecessary and does not
        impose an additional runtime dependency. However, I left
        it in as a build dependency for now.

EXTRA_CFLAGS    = -DSYS_ERRLIST_DEFINED -Dsys_errlist=_sys_errlist
                  -Dsys_nerr=_sys_nerr -DHAVE_STRERROR -DHAVE_STRONGSYMS

        STRONGSYMS: the cygwin versions of cygwrap-0.dll AND libwrap.a
        (that is, both the DLL and static library) explicitly provide
            int deny_severity
            int allow_severity
        symbols.  This means that clients must NOT define their own
        versions of these symbols, as is the practice on *nix systems.
        Instead, clients should rely on the /declaration/ provided in
        tcpd.h:
            extern int deny_severity;
            extern int allow_severity;
        This may require code changes in clients that link against
        libwrap, but it was a necessary API change to enable DLL
        builds on cygwin.

:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:-:

Enjoy!

--
Chuck


====================================================================


To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com/ web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.

*** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com

If you need more information on unsubscribing, start reading here:

http://sources.redhat.com/lists.html#unsubscribe-simple

Please read *all* of the information on unsubscribing that is available
starting at this URL.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]