On 2 Aug 2001, Christopher Keller wrote:
> Could someone explain the point of /etc/hosts.allow in conjunction with
> iptables? I'm just getting started playing with firewalls, so be nice.
>
> Background: Feeling lucky, I decided to install Bastille over the
> weekend. Imagine my surprise when I couldn't ssh to my machine even
> though I explictly allowed it in iptables. Apparently (by default??)
> Bastille locks down /etc/hosts.allow so nothing comes in. To those who
> don't know, apparently hosts.allow is consulted prior to iptables. So,
> after making a quick addition of sshd to hosts.allow I'm able to get
> back into my machine remotely. So in essence, I have every port blocked
> on my computer (excpet ssh) twice; once from hosts.allow and once from
> the iptables entries? If hosts.allow is already denying traffic, what's
> the point of iptables? Do I even need iptable anymore? Couldn't I
> effectively secure my machine by locking down all traffic in
> /etc/hosts.allow with the exception of ssh?
>
> Thanks for the insight....
>
>
/etc/host.allow and /etc/hosts.deny are used by serverses launched by
inetd (or xinetd), and by servers that are compiled with tcpwrappers.
It is a second line of defence. Connections that make it through
iptables still have to meat the requirments of /etc/hosts.allow and
/etc/hosts.deny if they use tcpwrappers. It can come in very handy if
you make a mistake setting up iptables. When you see messages in the
logs about services being denied that should never have made it through
the firewall, you know you have problems!
As far as Bastile locking things down, it does tell you it is going to
do it, and gives you the option of allowing services to be run. I used
it on my firewall, as well as my servers. I find it to be a handy
security mesure, but it will lock things down more then you may want if
you let it configure things to the default configuration, instead of
answering questions to tayler it to your system.
Mikkel
--
Do not meddle in the affairs of dragons,
for you are crunchy and taste good with ketchup.
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
