[Twisted-Python] TCP wrapper support for twisted servers
Hi everyone, I was wondering if anybody knows about a Python wrapper for libwrap. I'm aware of libwrap function libraries for PHP and libwrap-ruby for Ruby - but could not google anything similar for Python. I want to control access to my twisted servers using hosts.allow/deny. I have read someting about "inetd setup" options planned for tap2deb (couldn't get any docs regarding inetd/tcp -wrapper support though). Alternatively, is there anything included in twisted that can be used get tcp wrapper support without having to run from inetd. regards, Eugene Web -> www.reedflute.com ===============================================
Eugene Coetzee wrote:
Hi everyone,
I was wondering if anybody knows about a Python wrapper for libwrap. I'm aware of libwrap function libraries for PHP and libwrap-ruby for Ruby - but could not google anything similar for Python.
I want to control access to my twisted servers using hosts.allow/deny. I have read someting about "inetd setup" options planned for tap2deb (couldn't get any docs regarding inetd/tcp -wrapper support though).
Alternatively, is there anything included in twisted that can be used get tcp wrapper support without having to run from inetd.
OK - I had the ich and I just *had to* scratch it. I have built a Python wrapper (I'll call it PyTCPWrapper) to libwrap which is working very much like Perl's http://cpan.uwinnipeg.ca/htdocs/Authen-Libwrap/README.html. I will release it on sourceforge under the GPL pretty soon. Now - I want to use PyTCPWrapper inside twisted.protocol.http.Request to control access to my http server possibly passing the result of http.Request.getHost() to PyTCPWrapper.hosts_ctl(). *but* from http.py : def getHost(self): """Get my originally requesting transport's host. Don't rely on the 'transport' attribute, since Request objects may be copied remotely. For information on this method's return value, see twisted.internet.tcp.Port. """ return self.host If I "should not rely on transport" (I imagine this refers to IP spoofing) - what is the most reliable way of getting the client's IP address from inside an instance of http.Request ? I would also like to drop the illegal connection as quickly as possible - much sooner than http.Request.process() happens. Any advise thoughts ideas would be appreciated. regards, Eugene Web -> www.reedflute.com ===============================================
Eugene Coetzee wrote:
OK - I had the ich and I just *had to* scratch it. I have built a Python wrapper (I'll call it PyTCPWrapper) to libwrap which is working very much like Perl's http://cpan.uwinnipeg.ca/htdocs/Authen-Libwrap/README.html. I will release it on sourceforge under the GPL pretty soon.
Correction - I will release it under LGPL. Web -> www.reedflute.com ===============================================
On Tue, 2004-09-21 at 12:00, Eugene Coetzee wrote:
If I "should not rely on transport" (I imagine this refers to IP spoofing) - what is the most reliable way of getting the client's IP address from inside an instance of http.Request ? I would also like to drop the illegal connection as quickly as possible - much sooner than http.Request.process() happens.
That's how you do it. The comment is basically telling you that stuff like TCP Wrappers is just a stopgap and not a real security measure :)
On Tue, 21 Sep 2004 18:00:27 +0200, Eugene Coetzee <projects@reedflute.com> wrote:
[snip] If I "should not rely on transport" (I imagine this refers to IP spoofing) - what is the most reliable way of getting the client's IP address from inside an instance of http.Request ? I would also like to drop the illegal connection as quickly as possible - much sooner than http.Request.process() happens.
Indeed you do want to do it much sooner - I don't think you want to be modifying HTTP code to use TCP wrappers. I think you want to modify the protocol factory (Site, in the case of HTTP) to use TCP wrappers. buildProtocol takes an address argument. If the factory returns None, the connection is dropped before any bytes are read from it. You should be able to implement this as a factory wrapper, too, so that it is useable with any existing factory. See twisted.protocols.policies for examples of how to do this. Jp
exarkun@divmod.com wrote:
buildProtocol takes an address argument. If the factory returns None, the connection is dropped before any bytes are read from it.
yep. that's exactly what I'm going to do. Thanks for the advise. Web -> www.reedflute.com ===============================================
participants (3)
-
Eugene Coetzee
-
exarkun@divmod.com
-
Itamar Shtull-Trauring