Menu

#4511 IP ACL bug

1.720
closed-fixed
nobody
None
5
2014-12-02
2014-11-26
kurczaq
No

IP access control does not work when DNS name is in this format:

dslb-178-007-042-019.178.007.pools.vodafone-ip.de

and IP access list has an entry:
*.vodafone-ip.de

Neither this one works:
....vodafone-ip.de

Only putting numerical IP block works:
178.0.0.0/12

In contrast, another IP resolving to sub.domain.com works when put into IP ACL:
*.domain.com

Discussion

<< < 1 2 (Page 2 of 2)

  • kurczaq

    kurczaq - 2014-11-30

    another cross-check:

    adding *.de ACL in webmin IP acl.

    result:

    allow=*.pools.vodafone-ip.de *.dip0.t-ipconnect.de *.citytalks.de *.de


014-11-30T19:33:53.898911+01:00 www2 perl[7594]: pam_unix(webmin:session): session opened for user root by (uid=0)
2014-11-30T19:33:54.141900+01:00 www2 webmin[7594]: Successful login as root from dslb-088-064-182-206.088.064.pools.vodafone-ip.de

    WORKING with the vodafone-ip.de domain!

    (but a *.de ACL is not acceptable!)

     

  • kurczaq

    kurczaq - 2014-11-30

    alwaysresolve=1

    was already set in ALL tests that I'm doing.

     

  • kurczaq

    kurczaq - 2014-11-30

    you can easily reproduce the bug, if you set up a local DNS that will resolve your IPs to these hosts that I gave you.

     

  • kurczaq

    kurczaq - 2014-11-30

    it is weird because it seems to disregard the minus sign "-" in the first part of the subdomain name, but it seems to be a problem if it is part of the domain name itself.

    dslb-088-064-182-206.088.064.pools.vodafone-ip.de
    ^ no problem                           ^problem
     

  • kurczaq

    kurczaq - 2014-11-30

    drop me a note if you have problems configuring DNS to reproduce.

     

  • kurczaq

    kurczaq - 2014-11-30

    btw for testing I Think you can just hard-wire a host name in your code that comes from your resolver - no need to setup a dns.

     

  • kurczaq

    kurczaq - 2014-11-30

    If we cannot fix this issue quickly I will have to revert to some tcp proxying (e.g. via xinetd and hosts.allow) and run webmin on localhost only... however this is not a good workaround

     

  • kurczaq

    kurczaq - 2014-11-30

    seems to work for me now (after 22af9bc18eaea4904c3c020ae54fece94c382831):

    www2:~ # host 10.1.1.1
1.1.1.10.in-addr.arpa domain name pointer dslb-088-064-182-206.088.064.pools.vodafone-ip.de.
www2:~ #

    ACL:

    *.pools.vodafone-ip.de

    working.

    When I remove * . pools.vodafone-ip.de from ACL, it says then access denied from 10.1.1.1

    I still wonder why it did not accept the TCP wrapper option then? It does not query the hosts.allow first? I think it would be a good idea to have a configurable policy here:

    ALLOW if allowed by webmin AND tcpwrapper
    ALLOW if allowed by webmin OR tcpwrapper

    etc.

     

    Last edit: kurczaq 2014-11-30

  • kurczaq

    kurczaq - 2014-11-30

    well I wait for the client tomorrow to login, tell you then.

     

  • kurczaq

    kurczaq - 2014-12-02

    seems it works for my client now. thanks for fixing.

     

  • Jamie Cameron

    Jamie Cameron - 2014-12-02

    Great! Thanks for your help and persistence tracking this down.

     
<< < 1 2 (Page 2 of 2)

Log in to post a comment.