[lug] hosts.deny syntax

D. Stimits stimits at idcomm.com
Tue Jun 19 15:51:48 MDT 2001


Chip Atkinson wrote:
> 
> If I understand what you wrote, you have to use ipchains.
> hosts.deny/allow only control what xinetd launches.  It doesn't control
> outbound traffic at all.  Some applications such as sshd look at hosts.*
> too, but again, it's only for inbound traffic.

Inbound is fine. But here is the clincher...when I send an outbound hit
to a web server out there, it requires a reply, and the inbound reply
does get in (it should not). I'm wondering if there is some way the
system is deciding that this is a reply to some outbound value and
therefore it gives it an exception and allows it in. If not, something
seems broken. Firewalling is working fine, but I don't trust it all by
itself.

D. Stimits, stimits at idcomm.com

> 
> Chip
> 
> D. Stimits wrote:
> 
> > I'm trying to clean up some /etc/hosts.deny items for a relatively new
> > RH 7.1 install. There are a few trouble domains I want completely
> > blocked (ipchains already does this, but I want xinetd to also ignore
> > them through its tcpwrappers mechanism). Basically, I want something
> > like this for a /16 domain:
> > ALL: 123.456.
> >
> > Or this for a /24:
> > ALL: 123.456.789.
> >
> > But this is not doing what I want, and for example, web browsers can
> > still get out and receive a reply from those domains. So is it mandatory
> > to add a service or daemon name as well? E.G., must I do something like:
> > in.httpd: ALL: 123.456.
> >
> > ?
> >
> > D. Stimits, stimits at idcomm.com
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list