From owner-freebsd-questions Mon Jun 26 9:20: 6 2000 Delivered-To: freebsd-questions@freebsd.org Received: from gilberto.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.30.2]) by hub.freebsd.org (Postfix) with ESMTP id 9AB4F37B8ED for ; Mon, 26 Jun 2000 09:19:59 -0700 (PDT) (envelope-from kuku@gilberto.physik.rwth-aachen.de) Received: (from kuku@localhost) by gilberto.physik.rwth-aachen.de (8.9.3/8.9.3) id SAA50336 for questions@freebsd.org; Mon, 26 Jun 2000 18:20:00 +0200 (CEST) (envelope-from kuku) Date: Mon, 26 Jun 2000 18:20:00 +0200 (CEST) From: Christoph Kukulies Message-Id: <200006261620.SAA50336@gilberto.physik.rwth-aachen.de> To: questions@freebsd.org Subject: tcpd / tcp_wrappers Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm having trouble with tcpd. I wanted to establish a bit more protection, e.g. only allow ftpd. But when I remove only the line ALL:ALL:ALLOW, ftpd doesn't work anymore, not even for localhost. Would I be better off with firewall - ipfw? # hosts.allow access control file for "tcp wrapped" applications. # $FreeBSD: src/etc/hosts.allow,v 1.8 2000/02/17 04:52:23 jkh Exp $ # # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a "First match wins" basis. # ALL : ALL : allow # Wrapping sshd(8) is not normally a good idea, but if you # need to do it, here's how #sshd : .evil.cracker.example.com : deny # Prevent those with no reverse DNS from connecting. #ALL : PARANOID : RFC931 20 : deny # Allow anything from localhost ALL : localhost : allow # Provide a small amount of protection for ftpd ftpd : localhost : allow ftpd : ALL : allow # You need to be clever with finger; do _not_ backfinger!! You can easily # start a "finger war". fingerd : ALL \ : spawn (echo Finger. | \ /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ : deny # The rest of the daemons are protected. ALL : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %H from %h." --- -- Chris Christoph P. U. Kukulies kuku@gil.physik.rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message