Subject: Re: hosts.allow & hosts.deny
From: Philip Good (phil@redplanetx.com)
Date: Thu Jan 18 2001 - 03:57:32 MST
Correct. Sorry for my hastiness...
Phil
> I didn't notice this earlier, but this format is exactly backward from
> what I am using on RedHat and YellowDog 1.2.1. I think the correct
> format is
>
> <service> : <ip>
>
> ...but maybe I don't know anything. :) For example, my hosts.allow looks
> like this
>
> ALL : 127.0.0.1,localhost,brinkman.student.princeton.edu
> ALL : brinkman2.student.princeton.edu
>
> and my hosts.deny is
>
> ALL : ALL
>
> I highly recommend making this work, and getting a very restrictive
> hosts.deny if you have a very predictable ip address and no firewall. My
> Linux box was hacked within two days of setup when I first got my edu
> connection.
>
> Bryn Hughes wrote:
> >
> > I set everything up like that, and ended up with NOBODY able to connect at
> > all, the server was refusing all connections.
> >
> > I also tried removing the trailing zero and just leaving the period, that
> > didn't work either.
> >
> > In the end, I just deleted my hosts.deny file, and that of course allowed
> > connections again. My messages log does show IP addresses being refused
> > that match up with the subnets in my hosts.allow file.
> >
> > My hosts.allow:
> >
> > 192.168.128.0 : ALL : ALLOW
> > 192.168.129.0 : ALL : ALLOW
> > 192.168.130.0 : ALL : ALLOW
> > 142.30.100.0 : ALL : ALLOW
> > 142.30.101.0 : ALL : ALLOW
> > 142.30.102.0 : ALL : ALLOW
> > 142.30.103.0 : ALL : ALLOW
> >
> > My hosts.deny:
> >
> > ALL:ALL:DENY
> >
> > on 1/16/01 6:29 AM, Philip Good at phil@redplanetx.com wrote:
> >
> > > in hosts.deny put
> > >
> > > ALL : ALL : DENY
> > >
> > > in hosts.allow put:
> > >
> > > aaa.aaa.aaa.aaa : ALL : ALLOW
> > > aaa.bbb.ccc.ddd : ALL : ALLOW
> > > xxx.xxx.xxx.0 : ALL : ALLOW
> > > .domain.com : ALL : ALLOW
> > >
> > > this will allow access by the first two IPs, all addresses that start with
> > > xxx.xxx.xxx and allow access from all hosts from the domain
> > > domain.com.
> > >
> > > Phil
> > >
> > >> I'm having some trouble setting up my hosts.allow and hosts.deny files. The
> > >> man entries explain everything more or less, except I don't know what the
> > >> wildcard entry is! For some reason my man pages are slightly messed up and
> > >> I get something like a control character instead of whatever the real
> > >> wildcard character is.
> > >>
> > >> What I want to do:
> > >>
> > >> DENY access to everyone, then
> > >> ALLOW access to just our internal IP addresses
> > >> ALLOW access to a few individual static addresses off site
> > >>
> > >> I don't need to do anything as far as limiting access to specific ports or
> > >> anything else exotic at this point as I'm not running mail/web/ftp services
> > >> on this machine for anyone other than the above mentioned addresses.
> > >>
> > >> I'm also hoping that ALLOW takes precedence over DENY? Some systems I've
> > >> worked with (notably Windows 2000) look at DENY and then ALLOW, which makes
> > >> it very difficult to create a "nobody EXCEPT XYZ" type of policy.
> > >>
> > >> Thanks,
> > >>
> > >> Bryn
> > >>
> > >>
>
> --
> William "Bo" Brinkman brinkman@cs.princeton.edu
> Princeton Computer Science http://www.derandomized.org/
> --
> Coffee should be black as hell, strong as death, sweet as love.
> -- Turkish Proverb
>
>
-- Philip Good Red Planet Development, Red Canyon Software, Good Chi Tai Chi
This archive was generated by hypermail 2a24 : Thu Jan 18 2001 - 11:00:57 MST