NNTPS pointers

Grant Taylor gtaylor at tnetconsulting.net
Wed Oct 20 22:40:20 UTC 2021


On 10/20/21 3:23 PM, Julien ÉLIE wrote:
> Hi Grant,

Hi Julien,

> I've not played with stunnel but as far as I understood from previous 
> discussions about it, when innd is accessed through stunnel, it does not 
> see the remote peer's IP address so cannot verify it is really a peer.

I know that is the standard mode of operation.  However I believe there 
are some ... hacks that can be applied on Linux that get extremely 
creative with the routing table and use other skulduggery to fake the IP 
address that INN (et al.) sees.

I'll do some more reading and poking with sticks.  I don't know that the 
systems in question have the necessary support installed; kernel 
requirements, policy based routing, etc.

> TCP wrappers will allow only the right IPs.

That makes sense.

> I guess a firewall could also do the trick.  And also stunnel itself by 
> the way, if it has native support of TCP wrappers (when built with the 
> libwrap library), I've just read that in its documentation.

I believe that somewhere I recently read that TCP wrappers was being 
deprecated.  I have no idea where that was.  Perhaps I should search for 
it.  --  Not that deprecation has prevented ifconfig / route / et al. 
from being mainstream utilities some 20 years later.  ;-)



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/inn-workers/attachments/20211020/d6620234/attachment.bin>


More information about the inn-workers mailing list