On Tue, 2003-06-17 at 16:43, Mark London wrote: > Hi - A couple of weeks ago people suggested that I could use TCP Wrapper to > restrict access to the IMAP port. I'm confused, because I'm running xinetd, > which normally does not use libwrap, and instructions on using the TCP Wrapper > all talk about using inetd. I see mention that xinetd can be compiled with > libwrap support, but I want to avoid doing that if I can. And I assume I need > to either configure xinetd or inetd to get TCP Wrapper to work, or am I wrong? > I.e. I just can't compile cyrus with libwrap (which I've done) and set up > entries I hosts.allow and hosts.deny, right? If you are using cyrus with xinetd, you can, in the /etc/xinetd.d/cyrus-imapd (or equivalent file), use the 'only_from' directive.
Check man xinetd.conf for details on how to use it. > > Some people suggested I use iptables to restrict access to the IMAP port. > While this might be the "simpler" approach, the documentation on iptables all > seems to include examples on how to set up a firewall. I can't find an > example of just what I want to do, and since it looks like it would take days > to read the documentation on iptables, the TCP Wrapper option seems simpler. To use the iptables approach, you would need the following rules (and possibly put them in /etc/sysconfig/iptables, depending on the distribution). This would give you a fairly secure server, but a lot more could be done. # allow connections via loopback iptables -A INPUT -i lo -j ACCEPT # Allow already established connections to talk back iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow icmp packets (you can block certain types of icmp if you want) iptables -A INPUT -p icmp -j ACCEPT # Allow connections to allowed tcp ports iptables -A INPUT -p tcp -m multiport --dports 143,110,80 -j ACCEPT # Allow ssh from secure IP iptables -A INPUT -p tcp -m tcp --dport 22 -s 99.99.99.99 -j ACCEPT # Log failed connection attempts iptables -A INPUT -j LOG --log-prefix "Denied INPUT: " # Drop all other connections iptables -A INPUT -j DROP # or REJECT Chris -- ---------------------+-------------------------------------------------- Chris Picton | PGP Key ID: 9D28A988 (wwwkeys.pgp.net) Solutions Developer | PGP Key Fingerprint: Tangent Systems | 2B46 29EA D530 79EC D9EA 3ED0 229D 6DD6 9D28 A988 [EMAIL PROTECTED] | http://www.tangent.co.za/keys/chrisp.asc ---------------------+--------------------------------------------------
signature.asc
Description: This is a digitally signed message part