On Fri, 9 Mar 2001, Leonard den Ottolander wrote:
> Hi Jerry,
>
> > > Uh...the VERY FIRST thing on that list should be enabling ipchains/iptables
> > > (depending on your version) and setting up your firewalling...
>
> I do agree with Dave here. For example, if you would have a hosts.deny with
> just "ALL: ALL", and a hosts.allow with "ALL: LOCAL" everyone on your subnet
> would have access to your machine. Of course this would change when using
No! ALL: LOCAL in hosts.allow refers to machine named: "localhost"
which is your own box (network log into yourself), not your whole subnet.
That is, LOCAL is a synonym for "localhost" which is 127.0.0.1
Also, I usually ALLOW access from all boxen on my subnet, since I myself
may want to access my box from another box on that subnet.
> "ALL: your.specific.ip.address", but this wouldn't work easily when dialing in
> to an ISP that provides dynamic IP's.
True. But it's easier to add access in hosts.allow than in rc.firewall in
case you can dial into the net, access another machine that does have
access, ssh or telnet over to your machine, add your current dialin ip to
hosts.allow, connect directly to your machine now that you are allowed
in...(who would really do that?)
>
> > If you are just a single machine, there isn't much to be gained by running
> > ipchains. I suppose that you could install a second ethernet card in your one
> > machine and then you could be your own firewall. A lot of extra effort, but
> > why?
>
> I think you are making a mistake here. You don't need to install a second NIC
> to run ipchains/iptables. You can use it to protect your single machine
> (personal firewall). Relying solely on tcp_wrappers seems a bit silly. Fi, can
> you tell me if X uses wrappers? I don't know, but I wouldn't bet on it.
>
> Bye,
>
> Leonard.
Leonard,
Of course more layers of security the better, but as far as
recommending security measures to less experienced users goes, the very
first thing to do is to modify hosts.deny to ALL:ALL because it is so easy
to do (you don't have to go anywhere to do it) and it affects so many of
the services that may be installed by a standard workstation or server
install. It protects you while you're out looking for a firewall script!
It's just the easiest to do first, most bang for the buck, etc.
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
--
***************************************************************************
Jerry Winegarden OIT/Technical Support Duke University
[EMAIL PROTECTED] http://www-jerry.oit.duke.edu
***************************************************************************
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
