On May 19, 2006, at 7:33 PM, David Kelly wrote:


On May 19, 2006, at 8:55 PM, jekillen wrote:

I am trying to deny ftp access to my web site from out side. I have two nics on the server and access it from the inside network via one and serve to the public on the other. I tried to write a rule in hosts.allow to deny ftp connections to the public ip address which has worked. But a side effect is that I can now not connect from local machines via
ssh.

Your machine is connected to the outside world and you are not running a firewall?

If I understand correctly hosts.allow (and the hosts_access library routines) operate in the applications themselves. The only reason you wish to keep the outside world from reaching your ftpd is out of fear that its somehow vulnerable and/or someone will come across your username/password combination. So, nip it in the bud with a firewall rule and never let them get that close. Simply deny port 21 incoming on your external interface. Everything should work as always on your internal interface.

In ipfw where $nic_ext is fxp0 or whatever your extenal NIC is named:

ipfw add deny ip from any to any ftp in via $nic_ext

Yes, thank you, I do need to set up the fire wall, but I needed a quicker fix for the moment. posting to this list helped me unblock my brain, maybe we have biochemical firewalls built in that are
programmed by morons.
but I got a working set of rules for hosts.allow. Now I will proceed with the firewall set up.
Thanks again.
JK


--
David Kelly N4HHE, [EMAIL PROTECTED]
======================================================================= =
Whom computers would destroy, they must first drive mad.



_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"


_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to