xinetd and hosts.allow

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Sat Apr 17 16:30:11 UTC 2004 

Am Sa, den 17.04.2004 schrieb Jay Daniels um 17:35:

> I cannot get xinetd and tcp wrappers hosts.allow and hosts.deny to work.
> 
> /etc/hosts.allow

> ALL: LOCAL, 192.168.2.0/255.255.255.0, darkforce.darktech.org, my_static_ip_here

You may change this to:

ALL: 127.0.0.1, 192.168.2.0/255.255.255.0, STATIC_IP :ALLOW

> /etc/hosts.deny
> ALL: ALL

You may change this to:

ALL: ALL EXCEPT localhost:DENY

> I have tried several combination in hosts.allow and restarted xinetd,
> but when I have the above lines uncommented I cannot send any mail via
> smtp port 25 from localhost!
> 
> Any ideas?
> 
> This may all be redundant since the firewall is suppose to block
> specified connections to these ports, but I was thinking tcp wrappers
> would add to the security?

tcp_wrappers is from a time when packet filtering was no standard. I
prefer to set up clean and managable iptables chains/rules which even
allows you stateful inspection. Having restrictive settings in more than
1 place makes it harder to administrate. And it does not necessarily
improve security. I would kick all hosts.deny and hosts.allow settings
and stick with iptables.

> Also, I am still unclear how to edit /etc/hosts and my hosts file may
> have something to do with it.
> 
> $ cat /etc/hosts
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1               localhost.localdomain localhost
> 192.168.2.1             darkforce.darktech.org darkforce #me
> 192.168.2.12            darkstar.darktech.org darkstar #my laptop
> 64.246.60.114           cobra.python-hosting.com cobra #my hosting
> 
> Should I have my gateway ip address in place of the 192.164.2.1?  How
> does tcp wrappers distinguish between eth0 and eth1?

The hosts file looks good. The first question I do not understand. The
hosts file is for name -> IP translation.
tcp_wrappers do not distinguish between devices. It uses hostnames
and/or IPs.

> Note that I can leave hosts.allow and hosts.deny blank and all is
> well, I can send mail from localhost, etc.

Is your Sendmail hostname and IP not in /etc/hosts file?

> Is this even necessary if my firewall is working properly by allowing
> connections from my local net and blocking certain connections from my
> inet interface?

As I said above: no. It makes things only more complicated.

> jay

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2179.nptl
Sirendipity 18:15:45 up 1 day, 22:05, load average: 0.17, 0.27, 0.26 
                   [ Γνωθι σ'αυτον - gnothi seauton ]
             my life is a planetarium - and you are the stars
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040417/3073fadc/attachment-0001.sig>

More information about the fedora-list mailing list