[974] in linux-net channel archive
Re: /etc/hosts.deny
daemon@ATHENA.MIT.EDU (Peter K)
Wed Aug 23 23:08:46 1995
Date: Wed, 23 Aug 1995 14:51:45 +0200 (GMT+0200)
From: Peter K <pko@paradigm.co.za>
To: Andrew Crawford <andrew@cludge.colloquium.co.uk>
cc: linux-net@vger.rutgers.edu
In-Reply-To: <Pine.LNX.3.91.950822211409.200A-100000@cludge>
> I'm trying to block access to all ports from a particular host. Putting
> the hostname in /etc/hosts.deny doesn't seem to have any effect - even
> after a reboot. Any idea why, or what I'm doiong wrong?
Best is to have ALL: ALL in hosts.deny and specify the services in
hosts.allow that you do grant. You could than easily prevent traffic for
the peculiar protocol by using EXCEPT or something like
---- hosts.allow ----
# allow all xyz protocol for C class IP 123.456.789.xxx
in.xyz: 123.456.789.
# allow all xyz protocol for domain somewhere.else
in.xyz: .somewhere.else
# specifically prevent not-so-nice-people from nasty.somewhere.else
in.xyz: nasty.somewhere.else : twist = echo ' %a [%u@%h] - take a hike !'
# also pko@kiko.paradigm.co.za in the hope that he runs an identd ...
in.xyz: pko@kiko.paradigm.co.za : twist = echo ' Peter K ! Woo onto you ...'
# just to make sure nobody else gets past this
in.xyz: ALL: twist = echo ' %a [ %u@%h] - not cleared for xyz.'
# or just deny everyone else silently
in.xyz : ALL: deny
To use EXCEPT
# allow all xyz protocol for C class IP 123.456.789.xxx except
# nasty.smewhere.else
in.xyz: 123.456.789. EXCEPT nasty.somewhere.else
or
ALL EXCEPT in.xyz: ....
In my (short) experience with tcp wrappers this setup (blanket deny in
hosts.deny, specify services:clients with optional deny / twist =) has
appealed the most to me.
Oh, something else. You don't have to reboot when working with the
hosts.{deny, allow} files. If you mod inetd.conf, just kill -1 <inetd
pid> will do the trick.
Peter Kooiman | Fax : ++27-12-663-4191/2
Paradigm Systems Technology |
Pretoria, South Africa | UUCP : pko@silmaril.UUCP
Voice : ++27-12-663-5340 | DNS : pko@paradigm.co.za
