* Gary Turner ([EMAIL PROTECTED]) spake thusly: > On Sun, 24 Mar 2002 08:46:00 +0100, Sven Hoexter wrote: > > >On Sat, Mar 23, 2002 at 01:09:37PM -0800, Jaye Inabnit ke6sls wrote: > > >> My question now is this: do I need to make these hosts_allow entries into > >> each of my linux computers? I still find it very odd that all the other > >> computers were able to connect to my firewall/router as it was, and only > >> my > >> Woody box was banned from connecting. > >IIRC it helps fixing your DNS problem. The real problem is that in > >/etc/hosts.deny is ALL:PARANOID set. This entry blocks all hosts that > >have an invalid or no PTR record. > > My understanding has been that /etc/hosts.deny ALL:PARANOID is a good > thing (tm), in that visitors not invited in, are kicked out. Which is > your objection in this case. /etc/hosts.allow is tested first and if a > match is found, then host.deny is never tested. Thus, you can "allow" > your whole LAN by: > > ALL : 192.168.0. # <--note the trailing "." > > or a piece of it: > > ALL : 192.168.0. EXCEPT 192.168.0.46 # or > ALL : .foo.bar EXCEPT honker.foo.bar # note leading "." > > Won't these general allows eliminate the need to edit each host for each > addition/subtraction on your net? If ALL : PARANOID is not used in > hosts.deny, then any host not specifically denied, is allowed. That > seems to me to be a bad thing (tm). In the above example, everybody in > the world except honker is let in.
It'll work *if* *reverse* *DNS* is working on 192.168.0.0. Otherwise either tcp wrappers or ssh itself (dep. on sshd config options) will refuse connections. Didn't you read Sven's rely? It says "DNS problem" right there. Dima -- Backwards compatibility is either a pun or an oxymoron. -- PGN -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]