From owner-freebsd-questions  Tue Oct 29 07:18:09 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA01768
          for questions-outgoing; Tue, 29 Oct 1996 07:18:09 -0800 (PST)
Received: from battra.telebase.com (root@battra.telebase.com [192.132.57.100])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA01758
          for <questions@freebsd.org>; Tue, 29 Oct 1996 07:18:03 -0800 (PST)
Received: from wormhole.telebase.com  by battra.telebase.com id KAA12263; Tue, 29 Oct 1996 10:17:16 -0500 (EST)
Received: from odo.telebase.com (odo.telebase.com [172.16.2.217]) by wormhole.telebase.com (8.8.1/8.8.1) with ESMTP id KAA21461; Tue, 29 Oct 1996 10:17:15 -0500 (EST)
Received: (from bmc@localhost) by odo.telebase.com (8.8.1/8.8.1) id KAA08161; Tue, 29 Oct 1996 10:17:14 -0500 (EST)
Date: Tue, 29 Oct 1996 10:17:14 -0500 (EST)
Message-Id: <199610291517.KAA08161@telebase.com.>
From: Brian Clapper <bmc@telebase.com>
To: Robert Heron <rh@mtl.pl>
Cc: questions@freebsd.org
Subject: Re: telnetd
In-Reply-To: <57726122@toto.iv>
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>>>>> "Robert" == Robert Heron <rh@mtl.pl> writes:

Robert> Hello, I'm trying to find in man pages for telnetd an option that
Robert> will limit telnet access to selected machines only. But I found
Robert> nothing...(or missed).  Could I ask you for some suggestions for
Robert> this problem.

1. Use IP-level filtering to block incoming telnet connections except for
   those hosts you want to permit.  You'll need to use the IPFW kernel
   facility, in conjunction with the ipfw(8) command, to accomplish this
   feat.  See `http://www.freebsd.org/handbook/handbook67.html#75' for
   details.

2. Block incoming telnet connections via the TCP wrappers package, which
   you use in conjunction with the `inetd' daemon.  You can download a
   TCP wrappers port from `http://www.freebsd.org/ports/security.html'.
   Be sure to read the docs.

3. Replace `inetd' with `xinetd', which has per-host filtering built in.
   (It more or less combines the capabilities of `inetd' with the
   capabilities of the TCP wrappers.')  Again, see
   http://www.freebsd.org/ports/security.html'.

#2 and #3 are mutually exclusive.  You can use #1 in conjunction with
either #2 or #3 if you want.  Note that packet filtering is the most
minimal kind of firewall (aside from no firewall at all).  Should you care
to delve deeper into this stuff, consult one or both of the following
books.  (Full details on each book are available at the referenced web
site.)

	Chapman, D. Brent and Elizabeth D. Zwicky.  Building Internet
		Firewalls.  http://www.ora.com/catalog/fire/

	Cheswick, William R. and Steven M. Bellovin.  Firewalls and
		Internet Security: Repelling the Wily Hacker.
		http://www.aw.com/cp/Ches.html
----
Brian Clapper .............................................. bmc@telebase.com
http://www.netaxs.com/~bmc/ ............. PGP public key available on request
Do not underestimate the value of print statements for debugging.
Don't have aesthetic convulsions when using them, either.