Date: Fri, 08 Aug 2003 22:36:09 +0200 From: Byron Schlemmer <byrons@telkomsa.net> To: Schalk Erasmus <schalk@home.incredible.com.na> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: FreeBSD - Secure by DEFAULT ?? [hosts.allow] Message-ID: <1060374968.637.16.camel@nemesis.home> In-Reply-To: <010101c35d08$baaf5480$0265de0a@Fujitsu> References: <010101c35d08$baaf5480$0265de0a@Fujitsu>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-GZv0ZxrWK77ZZnlkQ3Ua Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2003-08-07 at 19:24, Schalk Erasmus wrote: > Hi, >=20 > I need to know what the implications are to make use of the hosts.allow f= ile > on a FreeBSD Production Server (ISP Setup)? The reason I'm asking, is tha= t > I've recently decommisioned a Linux SendMail Server to a FreeBSD Exim > Server, but with no Firewall (IPTABLES) yet. >=20 > Besides the fact that it only runs EXIM and Apache, is it necessary to > Configure rc.Firewall? or can I only make use of the hosts.allow file? Only applications that honour tcp_wrappers use hosts.allow. Therefore to ensure that your machine is secure it would be wise to use a firewall of some kind.=20 > Currently I would only like to allow SSH access from my Home Network, > instead of allowing the WORLD. >=20 > I've seen OpenBSD Servers using hosts.deny and hosts.allow files, but bas= ed > on the new "Access Control File", it is all merged together in one file: >=20 > # hosts.allow access control file for "tcp wrapped" applications. > # $FreeBSD: src/etc/hosts.allow,v 1.8.2.7 2002/04/17 19:44:22 dougb Exp $ > # >=20 > I take that I should allow the other Services, in this order: >=20 > sshd : myhomepc : allow > exim : ALL : allow > httpd : ALL : allow > ftpd : ALL : allow > ALL : ALL : deny That would limit ssh only from myhomepc. So thats correct. > What kind of protection does FreeBSD need by Default? Since OpenBSD goes > around saying: "SECURE BY DEFAULT" !? Hmm, I don't think OpenBSD runs a firewall by default. Basically they start you off with a very restrictive setup. FreeBSD is reasonably secure "by default" to. But, if you plan to have this box running in a ISP environment a firewall would be highly recommended. --=20 --byron --=-GZv0ZxrWK77ZZnlkQ3Ua Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQA/NAm4N4F35/M/8HYRAjhfAJ45wLbls9fByyrK4997W/aWNhLWawCgx1Yv b1aKTiUIynhCi5eDs98I6lI= =QQ31 -----END PGP SIGNATURE----- --=-GZv0ZxrWK77ZZnlkQ3Ua--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1060374968.637.16.camel>