On Wed, 9 Jul 2003, Coffin Michael C wrote: > Hi Mark, > > I had read the hosts_access man page but was/am still unclear. My example > of blocking 192.168. was just an example by the way (which was probably too > simple), I actually want to use CIDR addressing to block PARTS of networks, > not necessarily entire networks. > > In hosts_access it talks about using IP address/netmask pairs - but not CIDR > addressing. When I actually code a statement like: > > ALL: 209.216.0.0/18 > > In /etc/hosts.deny - nobody complains about it so I ASSUME hosts/deny > understands CIDR addressing - but A) I hate to assume anything, B) I thought > I saw something come through on a blocked address where the block was > specified using CIDR notation. > > I do appreciate all the help and advice, but does anybody know for sure > whether CIDR notation is allowed in /etc/hosts.deny?
I'm not going to answer your question either;-) Here are my files: [EMAIL PROTECTED] root]# cat /etc/hosts.deny # Created by Point Clark Networks # # You may also need to change the firewall settings in # /etc/rc.d/rc.firewall # ################################################################################ # ALL: ALL : #( /usr/bin/logger -t access REM=%A LOC=%a SERVICE=%d SERVER=%s USER=%u ) [EMAIL PROTECTED] root]# cat /etc/hosts.allow # Created by Point Clark Networks # # - SSH is allowed from anywhere. If you only require access from a # certain # IP address (or addresses), you can configure it here. # ################################################################################ # sshd: ALL telnet: ALL sendmail: ALL imapd: 203.12.166. portmap: 192.168. printer: 192.168. rsync: 192.168. ALL: 192.168. [EMAIL PROTECTED] root]# I've been using that setup for a year, and it seems to work well. I'm responding to show a working example that, I think, is less prone to accidently opening something to the ungodly than your approach: I deny everything not expressly allowed. I have a vague recollection that some twit on another system I maintained tried the CIDR format and there were no errors other than the fact it didn't work. My hosts.* files are supplemented with firewall rules that also place fairly strict limits on what can connect. As for sendmail, it and some other packages have built-in support for tcpwrappers. -- Cheers John. Join the "Linux Support by Small Businesses" list at http://mail.computerdatasafe.com.au/mailman/listinfo/lssb Copyright John Summerfield. Reproduction prohibited.
