[lug] hosts.deny syntax

Eric Kilfoil ekilfoil at viawest.net
Tue Jun 19 15:55:37 MDT 2001 

He meant that xinetd only blocks inbound session attempts, not inbound
packets transmission.  IPChains is what you need to do if you want to
completely elminate layer 3 traffic.  TCPD (hosts.deny) tcpwrappers work
on layer 7.  What you're looking for is a layer 3 solution.

eric

On Tue, 19 Jun 2001, D. Stimits wrote:

> Chip Atkinson wrote:
> >
> > If I understand what you wrote, you have to use ipchains.
> > hosts.deny/allow only control what xinetd launches.  It doesn't control
> > outbound traffic at all.  Some applications such as sshd look at hosts.*
> > too, but again, it's only for inbound traffic.
>
> Inbound is fine. But here is the clincher...when I send an outbound hit
> to a web server out there, it requires a reply, and the inbound reply
> does get in (it should not). I'm wondering if there is some way the
> system is deciding that this is a reply to some outbound value and
> therefore it gives it an exception and allows it in. If not, something
> seems broken. Firewalling is working fine, but I don't trust it all by
> itself.
>
> D. Stimits, stimits at idcomm.com
>
> >
> > Chip
> >
> > D. Stimits wrote:
> >
> > > I'm trying to clean up some /etc/hosts.deny items for a relatively new
> > > RH 7.1 install. There are a few trouble domains I want completely
> > > blocked (ipchains already does this, but I want xinetd to also ignore
> > > them through its tcpwrappers mechanism). Basically, I want something
> > > like this for a /16 domain:
> > > ALL: 123.456.
> > >
> > > Or this for a /24:
> > > ALL: 123.456.789.
> > >
> > > But this is not doing what I want, and for example, web browsers can
> > > still get out and receive a reply from those domains. So is it mandatory
> > > to add a service or daemon name as well? E.G., must I do something like:
> > > in.httpd: ALL: 123.456.
> > >
> > > ?
> > >
> > > D. Stimits, stimits at idcomm.com
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>

More information about the LUG mailing list