From owner-freebsd-questions Mon Oct 16 1:52:16 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-27-149-77.mmcable.com [24.27.149.77]) by hub.freebsd.org (Postfix) with SMTP id 1966C37B66C for ; Mon, 16 Oct 2000 01:52:13 -0700 (PDT) Received: (qmail 34809 invoked by uid 100); 16 Oct 2000 08:52:12 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14826.49596.116944.205148@guru.mired.org> Date: Mon, 16 Oct 2000 03:52:12 -0500 (CDT) To: "Richard Shea" Cc: questions@freebsd.org Subject: Re: rc.firewall vs hosts.allow ? In-Reply-To: <11203552@toto.iv> X-Mailer: VM 6.75 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Richard Shea writes: > Hi - I have a FreeBSD machine which acts as a firewall and to which I now want to allow a limited amount of ftp access. The firewall rules at the moment stop any incoming FTP. In the future I want users from a small set of known domains to be able to get on and leave files. BTW FWIW this would not be anonymous ftp. > > I thought about adding rules to rc.firewall to specifically allow incoming ftp from those domains but then I thought about letting through all incoming ftp and using hosts.allow to deny access to all but the 'good' domains. > > Is this just a question of taste or are there some issues here I haven't noticed ? Is there a 'right' way - maybe totally different from those I've mentioned. hosts.allow is the config file for the tcp wrappers package; rc.firewall is a config script for the kernel ip filtering facility. Both are tools one can use to build a firewall. ipfw seems to be the prefered method to use these days, but don't quote me. I'd say not to use both, but choose one or the other. That's because having all the security information in one place makes it that much less likely that you'll make a mistake because you don't have the information in the other place.