[lug] hosts.deny syntax
Chip Atkinson
catkinson at circadence.com
Tue Jun 19 16:01:42 MDT 2001
Exactly. Tcpwrappers are used by applications to determine what inbound
connections are allowed. The connection is allowed and made by the
kernel and even xinetd. xinetd checks on what is allowed using the
tcpwrappers software and drops the connection or not. An outgoing
program such as a web browser could indeed look at tcpwrappers, but I
have never heard of that being done. You'd have to modify the browser
code and then you would have to keep other browsers from being
downloaded and used.
A multi-layer redundant solution like you wish to have is a good idea
for incoming attacks.
Chip
Eric Kilfoil wrote:
> He meant that xinetd only blocks inbound session attempts, not inbound
> packets transmission. IPChains is what you need to do if you want to
> completely elminate layer 3 traffic. TCPD (hosts.deny) tcpwrappers work
> on layer 7. What you're looking for is a layer 3 solution.
>
> eric
>
> On Tue, 19 Jun 2001, D. Stimits wrote:
>
>
>> Chip Atkinson wrote:
>>
>>> If I understand what you wrote, you have to use ipchains.
>>> hosts.deny/allow only control what xinetd launches. It doesn't control
>>> outbound traffic at all. Some applications such as sshd look at hosts.*
>>> too, but again, it's only for inbound traffic.
>>
>> Inbound is fine. But here is the clincher...when I send an outbound hit
>> to a web server out there, it requires a reply, and the inbound reply
>> does get in (it should not). I'm wondering if there is some way the
>> system is deciding that this is a reply to some outbound value and
>> therefore it gives it an exception and allows it in. If not, something
>> seems broken. Firewalling is working fine, but I don't trust it all by
>> itself.
>>
>> D. Stimits, stimits at idcomm.com
>>
>>
>>> Chip
>>>
>>> D. Stimits wrote:
>>>
>>>
>>>> I'm trying to clean up some /etc/hosts.deny items for a relatively new
>>>> RH 7.1 install. There are a few trouble domains I want completely
>>>> blocked (ipchains already does this, but I want xinetd to also ignore
>>>> them through its tcpwrappers mechanism). Basically, I want something
>>>> like this for a /16 domain:
>>>> ALL: 123.456.
>>>>
>>>> Or this for a /24:
>>>> ALL: 123.456.789.
>>>>
>>>> But this is not doing what I want, and for example, web browsers can
>>>> still get out and receive a reply from those domains. So is it mandatory
>>>> to add a service or daemon name as well? E.G., must I do something like:
>>>> in.httpd: ALL: 123.456.
>>>>
>>>> ?
>>>>
>>>> D. Stimits, stimits at idcomm.com
>>>> _______________________________________________
>>>> Web Page: http://lug.boulder.co.us
>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>
>>> _______________________________________________
>>> Web Page: http://lug.boulder.co.us
>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>
>> _______________________________________________
>> Web Page: http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>
>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list