From owner-freebsd-questions@FreeBSD.ORG Fri Aug 8 13:34:55 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9517237B401 for ; Fri, 8 Aug 2003 13:34:55 -0700 (PDT) Received: from ctb-mesg4.saix.net (ctb-mesg4.saix.net [196.25.240.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2658E43FBF for ; Fri, 8 Aug 2003 13:34:54 -0700 (PDT) (envelope-from byrons@telkomsa.net) Received: from [192.168.0.3] (rrba-bras-197-41.telkom-ipnet.co.za [165.165.197.41]) by ctb-mesg4.saix.net (Postfix) with ESMTP id C957BA9FA; Fri, 8 Aug 2003 22:34:50 +0200 (SAST) From: Byron Schlemmer To: Schalk Erasmus In-Reply-To: <010101c35d08$baaf5480$0265de0a@Fujitsu> References: <010101c35d08$baaf5480$0265de0a@Fujitsu> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-GZv0ZxrWK77ZZnlkQ3Ua" Message-Id: <1060374968.637.16.camel@nemesis.home> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.4 Date: Fri, 08 Aug 2003 22:36:09 +0200 cc: FreeBSD Questions Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Aug 2003 20:34:55 -0000 --=-GZv0ZxrWK77ZZnlkQ3Ua Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2003-08-07 at 19:24, Schalk Erasmus wrote: > Hi, >=20 > I need to know what the implications are to make use of the hosts.allow f= ile > on a FreeBSD Production Server (ISP Setup)? The reason I'm asking, is tha= t > I've recently decommisioned a Linux SendMail Server to a FreeBSD Exim > Server, but with no Firewall (IPTABLES) yet. >=20 > Besides the fact that it only runs EXIM and Apache, is it necessary to > Configure rc.Firewall? or can I only make use of the hosts.allow file? Only applications that honour tcp_wrappers use hosts.allow. Therefore to ensure that your machine is secure it would be wise to use a firewall of some kind.=20 > Currently I would only like to allow SSH access from my Home Network, > instead of allowing the WORLD. >=20 > I've seen OpenBSD Servers using hosts.deny and hosts.allow files, but bas= ed > on the new "Access Control File", it is all merged together in one file: >=20 > # hosts.allow access control file for "tcp wrapped" applications. > # $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 dougb Exp $ > # >=20 > I take that I should allow the other Services, in this order: >=20 > sshd : myhomepc : allow > exim : ALL : allow > httpd : ALL : allow > ftpd : ALL : allow > ALL : ALL : deny That would limit ssh only from myhomepc. So thats correct. > What kind of protection does FreeBSD need by Default? Since OpenBSD goes > around saying: "SECURE BY DEFAULT" !? Hmm, I don't think OpenBSD runs a firewall by default. Basically they start you off with a very restrictive setup. FreeBSD is reasonably secure "by default" to. But, if you plan to have this box running in a ISP environment a firewall would be highly recommended. --=20 --byron --=-GZv0ZxrWK77ZZnlkQ3Ua Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQA/NAm4N4F35/M/8HYRAjhfAJ45wLbls9fByyrK4997W/aWNhLWawCgx1Yv b1aKTiUIynhCi5eDs98I6lI= =QQ31 -----END PGP SIGNATURE----- --=-GZv0ZxrWK77ZZnlkQ3Ua--