From owner-freebsd-questions@FreeBSD.ORG Sat May 20 03:00:37 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E99A916A46E for ; Sat, 20 May 2006 03:00:37 +0000 (UTC) (envelope-from jekillen@prodigy.net) Received: from smtp102.sbc.mail.mud.yahoo.com (smtp102.sbc.mail.mud.yahoo.com [68.142.198.201]) by mx1.FreeBSD.org (Postfix) with SMTP id 4E17643D46 for ; Sat, 20 May 2006 03:00:36 +0000 (GMT) (envelope-from jekillen@prodigy.net) Received: (qmail 62177 invoked from network); 20 May 2006 03:00:35 -0000 Received: from unknown (HELO ?75.7.236.228?) (jekillen@prodigy.net@75.7.236.228 with plain) by smtp102.sbc.mail.mud.yahoo.com with SMTP; 20 May 2006 03:00:35 -0000 Mime-Version: 1.0 (Apple Message framework v622) In-Reply-To: <7480EE06-F2A8-4B8F-9588-FCA6B35C3BA6@hiwaay.net> References: <6b8ab79d578aec086fb10590dee29616@prodigy.net> <7480EE06-F2A8-4B8F-9588-FCA6B35C3BA6@hiwaay.net> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: jekillen Date: Fri, 19 May 2006 20:01:23 -0700 To: freebsd-questions X-Mailer: Apple Mail (2.622) Subject: Re: hosts.allow and ssh problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 May 2006 03:00:38 -0000 On May 19, 2006, at 7:33 PM, David Kelly wrote: > > On May 19, 2006, at 8:55 PM, jekillen wrote: > >> I am trying to deny ftp access to my web site from out side. I have >> two nics on the server and access it from the inside network via one >> and serve to the public on the other. >> I tried to write a rule in hosts.allow to deny ftp connections to the >> public ip address which has worked. But a side effect is that I can >> now not connect from local machines via >> ssh. > > Your machine is connected to the outside world and you are not running > a firewall? > > If I understand correctly hosts.allow (and the hosts_access library > routines) operate in the applications themselves. The only reason you > wish to keep the outside world from reaching your ftpd is out of fear > that its somehow vulnerable and/or someone will come across your > username/password combination. So, nip it in the bud with a firewall > rule and never let them get that close. Simply deny port 21 incoming > on your external interface. Everything should work as always on your > internal interface. > > In ipfw where $nic_ext is fxp0 or whatever your extenal NIC is named: > > ipfw add deny ip from any to any ftp in via $nic_ext Yes, thank you, I do need to set up the fire wall, but I needed a quicker fix for the moment. posting to this list helped me unblock my brain, maybe we have biochemical firewalls built in that are programmed by morons. but I got a working set of rules for hosts.allow. Now I will proceed with the firewall set up. Thanks again. JK > > > -- > David Kelly N4HHE, dkelly@HiWAAY.net > ======================================================================= > = > Whom computers would destroy, they must first drive mad. > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" >