Hosts.allow / deny
Ed Wilts
ewilts at ewilts.org
Wed Feb 23 12:41:45 UTC 2005
On Wed, Feb 23, 2005 at 08:20:35AM +0200, D u n c a n wrote:
> Hie all,
> Fedora Core 2 ,squirrelmail ,sendmail
> how do i securely insure my hosts.alllow and deny is correctly
> configured.At the moment its configured as such:
>
> hosts.allow
> ALLOW : imapd : 127.0.0.1
> ALLOW : sshd : 10.10.10.2
> ALLOW : smtp : 10.10.10.3
> hosts.deny
> ALL : ALL
>
> i just want to allow access to imapd,sshd and my smarthost
> Will this kill the DNS service etc .Suggestions welcome
First, it will not kill DNS since DNS doesn't use tcp_wrappers.
Second, the syntax is incorrect.
Third, the service name for sendmail is sendmail, not smtp. You
typically want to allow everybody to send you mail.
Last, squirrelmail doesn"t use tcp_wrappers so I hope you don't expect
that to help you here.
Here's what I use for hosts.allow:
ALL: LOCAL, .ewilts.home, 192.168.0.0/255.255.255.0, 127.0.0.1
sendmail: ALL
smtps: ALL
This says to allow all connections from my localhost and my local subnet
to every service that uses tcp_wrappers and to except e-mail from
everybody. I've left out the piece where I allow ssh connections from
my office subnet but that's easy to add.
> .Firewall is too costly
Fedora Core does include iptables but I believe that tcp_wrappers is far
easier to understand. You do have to recognize that this does not work
for every service - it won't help you for things like dns, ntp, http,
etc. I use tcp_wrappers in addition to a hardware firewall that passes
on a few specific ports. A hardware firewall, affectionally known as an
LBB (little blue box from Linksys) is fairly inexpensive these days. I
saw one (Belkin I think) advertised in last weekends flyers for $10 after
mail-in rebate.
--
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program
More information about the redhat-list
mailing list