From owner-freebsd-security@FreeBSD.ORG Thu Aug 7 11:11:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37C9F37B404 for ; Thu, 7 Aug 2003 11:11:20 -0700 (PDT) Received: from 100m.mpr200-2.esr.lvcm.net (100m.mpr200-2.esr.lvcm.net [24.234.0.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AB8C43FDD for ; Thu, 7 Aug 2003 11:11:19 -0700 (PDT) (envelope-from chris@redstarnetworks.net) Received: from delllaptop (ip68-108-123-213.lv.lv.cox.net [68.108.123.213]) by 100m.mpr200-2.esr.lvcm.net (Mirapoint Messaging Server MOS 2.9.3.5) with ESMTP id AZE62293; Thu, 7 Aug 2003 11:11:16 -0700 (PDT) From: "Chris Odell" To: Date: Thu, 7 Aug 2003 11:05:49 -0700 Organization: Red Star Networks, INC Message-ID: <000101c35d0e$88c43070$0b05a8c0@delllaptop> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Subject: RE: FreeBSD - Secure by DEFAULT ?? [hosts.allow] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: chris@redstarnetworks.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Aug 2003 18:11:20 -0000 May I recommend IPF, FreeBSD's firewall daemon? Having this in place - and yes on localhost, will be more of what you want to accomplish. You will also be able to control a whole lot more as far as traffice to/from your box. It is very simple to configure, as long as you can recompile it in your kernel. Just my 2 cents... Chris Odell chris@redstarnetworks.net -----Original Message----- From: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Schalk Erasmus Sent: Thursday, August 07, 2003 10:14 AM To: freebsd-security@freebsd.org Subject: FreeBSD - Secure by DEFAULT ?? [hosts.allow] Hi, I need to know what the implications are to make use of the hosts.allow file on a FreeBSD Production Server (ISP Setup)? The reason I'm asking, is that I've recently decommisioned a Linux SendMail Server to a FreeBSD Exim Server, but with no Firewall (IPTABLES) yet. Besides the fact that it only runs EXIM and Apache, is it necessary to Configure rc.Firewall? or can I only make use of the hosts.allow file? Currently I would only like to allow SSH access from my Home Network, instead of allowing the WORLD. I've seen OpenBSD Servers using hosts.deny and hosts.allow files, but based on the new "Access Control File", it is all merged together in one file: # hosts.allow access control file for "tcp wrapped" applications. # $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 dougb Exp $ # I take that I should allow the other Services, in this order: sshd : myhomepc : allow exim : ALL : allow httpd : ALL : allow ftpd : ALL : allow ALL : ALL : deny What kind of protection does FreeBSD need by Default? Since OpenBSD goes around saying: "SECURE BY DEFAULT" !? Just asking..... Regards Schalk Erasmus Incredible Networks Windhoek, Namibia _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"