From owner-freebsd-security Wed Feb 3 15:42:34 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA18377 for freebsd-security-outgoing; Wed, 3 Feb 1999 15:42:34 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.vr.IN-Berlin.DE (gnu.in-berlin.de [192.109.42.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA18371 for ; Wed, 3 Feb 1999 15:42:32 -0800 (PST) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: from uriela.in-berlin.de (IDENT:root@servicia.in-berlin.de [192.109.42.145]) by mail.vr.IN-Berlin.DE (8.9.1a/8.9.1) with ESMTP id AAA26191 for ; Thu, 4 Feb 1999 00:42:28 +0100 (CET) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.101 1997-Dec-17 #1) id m108D5B-000VYvC; Thu, 4 Feb 1999 01:55:49 +0100 (CET) Received: (from ripley@localhost) by nortobor.nostromo.in-berlin.de (8.8.7/8.8.7) id AAA07470 for security@FreeBSD.ORG; Thu, 4 Feb 1999 00:37:04 +0100 (CET) (envelope-from ripley) Date: Thu, 4 Feb 1999 00:37:03 +0100 From: "H. Eckert" To: security@FreeBSD.ORG Subject: Re: hosts.allow and deny! Message-ID: <19990204003703.F7397@nortobor.nostromo.in-berlin.de> References: <36b7a502.193777517@mail.sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95i In-Reply-To: <36b7a502.193777517@mail.sentex.net>; from Mike Tancsa on Wed, Feb 03, 1999 at 01:32:25AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting Mike Tancsa (mike@sentex.net): > Then in /usr/local/etc/hosts.deny > ALL:ALL > In /usr/local/etc/hosts.allow > goodhost.com I seem to remember that tcp_wrapper was configured slightly different but the manpage didn't reflect the change for the newer version. I didn't succeed at all with a hosts.deny but see my hosts.allow below for my configuratiion. I use it in combination with a firewalling rule: ipfw add 2200 reset tcp from any to pop3 setup via ipi0 The result is that I can run qpopper on my machine without having to worry about exploits. It can be acessed from machines inside my local net but not from outside and the machines in the inner net are able to pop3 to foreign servers, too. (The "ipi0" in the rule is my outside interface, a dialup isdn link) ====8<==== /usr/local/etc/hosts.allow ==== # Wed Oct 7 03:00:00 CEST 1998 popper : LOCAL 10.175. : allow popper : ALL : deny ALL : ALL Greetings, Ripley -- H. Eckert, 10777 Berlin, Germany, http://www.in-berlin.de/User/nostromo/ ISO 8859-1: Ä=Ae, Ö=Oe, Ü=Ue, ä=ae, ö=oe, ü=ue, ß=sz. "(Technobabbel)" (Jetrel) - "Müssen wir uns diesen Schwachsinn wirklich anhören?" (Neelix) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message