Hosts.allow / deny

[Ed Wilts]

On Wed, Feb 23, 2005 at 08:20:35AM +0200, D u n c a n wrote:
> Hie all,
> Fedora Core 2 ,squirrelmail ,sendmail
> how do i securely insure my hosts.alllow and deny is correctly
> configured.At the moment its configured as such:
> 
> hosts.allow
>           ALLOW : imapd :  127.0.0.1
>           ALLOW : sshd  : 10.10.10.2
>           ALLOW : smtp : 10.10.10.3
> hosts.deny
>           ALL : ALL
>           
> i just want to allow access to imapd,sshd and my smarthost
> Will this kill the DNS service etc .Suggestions welcome

First, it will not kill DNS since DNS doesn't use tcp_wrappers.
Second, the syntax is incorrect.
Third, the service name for sendmail is sendmail, not smtp.  You
typically want to allow everybody to send you mail.
Last, squirrelmail doesn"t use tcp_wrappers so I hope you don't expect
that to help you here.

Here's what I use for hosts.allow:

ALL: LOCAL, .ewilts.home, 192.168.0.0/255.255.255.0, 127.0.0.1
sendmail: ALL
smtps: ALL

This says to allow all connections from my localhost and my local subnet
to every service that uses tcp_wrappers and to except e-mail from
everybody.  I've left out the piece where I allow ssh connections from
my office subnet but that's easy to add.

>  .Firewall is too costly

Fedora Core does include iptables but I believe that tcp_wrappers is far
easier to understand.  You do have to recognize that this does not work
for every service - it won't help you for things like dns, ntp, http,
etc.  I use tcp_wrappers in addition to a hardware firewall that passes
on a few specific ports.  A hardware firewall, affectionally known as an
LBB (little blue box from Linksys) is fairly inexpensive these days.  I
saw one (Belkin I think) advertised in last weekends flyers for $10 after 
mail-in rebate.
 
-- 
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program