On Thu, 30 Dec 1999, Carl Fink wrote: > As a listmember pointed out, the problem was in my hosts.deny file, > not hosts.allow. Once I read the man page carefully I changed the > line to ALL: ALL and telnet/ftp/smtp were locked.
/etc/hosts.allow and /etc/hosts.deny are used by tcpd and only affects services that are run thru inetd. inetd is a so-called "super server" in that it monitors the ports for various services, and when incoming connections occur, it passes control on to the actual server daemon. however, if you have tcpd installed (which you do), inetd is tricked (sort of) into passing control on to tcpd. tcpd then consults hosts.allow and hosts.deny such as: [from "man 5 hosts_access"]: - Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file. - Otherwise, access will be denied when a (dae- mon,client) pair matches an entry in the /etc/hosts.deny file. - Otherwise, access will be granted. > Oddly, this *didn't* lock http (port 80), though. A quick check of > inetd.conf indicated that inetd doesn't handle http connections. So > I edited boa.conf to only "listen" for connections from 127.0.0.1. > (I only have a web server at all to handle dwww.) Now all ports are > closed. httpd is (usually, and in your case) run as a stand-alone server, and not through inetd, as most web servers handle lots of requests and it would waste system resources to run it through inetd. and httpd itself listens on the port, and control never gets passed on to tcpd, so it can't refuse the connection. > Interestingly, the scanner at www.gsr.com still shows my ftp, smtp, > and telnet ports as "open". My tests indicate that one can connect > to the port, but not actually do anything before my host closes the > connection again. as stated above, the connection *DOES* get established. then tcpd gets control and checks it's access rules. if it finds that the client should not be allowed to connect, it immediately drops the connection, so you get something like this: [EMAIL PROTECTED]:tty3:~]$ telnet localhost Trying 127.0.0.1... Connected to lemnos. Escape character is '^]'. Connection closed by foreign host. also, your mail server, running on port 25, probably also runs stand-alone. it will not be affected by hosts.allow or hosts.deny either, so you may want to double check that it's not open. > Someone suggested using IPCHAINS. The thing is, my only goal is to > lock *everyone* outside my local LAN out, while trusting everyone > within 198.162. If I need more complex rules, I will investigate > IPCHAINS. ipchains is very useful. it takes a little bit to get used to its syntax, and remember the various options, but once you do it's very powerful. in my /etc/ppp/ip-up file (executed when a ppp link is established), a total of 5 lines which create various firewall rules. there's one line for each of: mail server, dns server, web server, sql server, and x windows server. they block incoming connections on those ports from any packets coming in over the ppp0 interface, so anything on the lan isn't affected. i also have access rules in hosts.allow and hosts.deny, but to get that far, they have to make it through the firewall. :) hope this little (?) explanation helps you to understand a bit :) ------------------------------------------------------ hypnos <mailto:[EMAIL PROTECTED]>