On Wed, 9 Jul 2003, Coffin Michael C wrote:

> Hi Mark,
>
> I had read the hosts_access man page but was/am still unclear.  My example
> of blocking 192.168. was just an example by the way (which was probably too
> simple), I actually want to use CIDR addressing to block PARTS of networks,
> not necessarily entire networks.
>
> In hosts_access it talks about using IP address/netmask pairs - but not CIDR
> addressing.  When I actually code a statement like:
>
> ALL: 209.216.0.0/18
>
> In /etc/hosts.deny - nobody complains about it so I ASSUME hosts/deny
> understands CIDR addressing - but A) I hate to assume anything, B) I thought
> I saw something come through on a blocked address where the block was
> specified using CIDR notation.
>
> I do appreciate all the help and advice, but does anybody know for sure
> whether CIDR notation is allowed in /etc/hosts.deny?

I'm not going to answer your question either;-)


Here are my files:
[EMAIL PROTECTED] root]# cat /etc/hosts.deny
# Created by Point Clark Networks
#
# You may also need to change the firewall settings in
# /etc/rc.d/rc.firewall
#
################################################################################
#
ALL: ALL :
#( /usr/bin/logger -t access REM=%A LOC=%a SERVICE=%d SERVER=%s USER=%u
)
[EMAIL PROTECTED] root]# cat /etc/hosts.allow
# Created by Point Clark Networks
#
# - SSH is allowed from anywhere.  If you only require access from a
# certain
#   IP address (or addresses), you can configure it here.
#
################################################################################
#
sshd: ALL
telnet: ALL
sendmail: ALL
imapd: 203.12.166.
portmap: 192.168.
printer: 192.168.
rsync:   192.168.
ALL: 192.168.
[EMAIL PROTECTED] root]#


I've been using that setup for a year, and it seems to work well.

I'm responding to show a working example that, I think, is less prone to
accidently opening something to the ungodly than your approach: I deny
everything not expressly allowed.

I have a vague recollection that some twit on another system I
maintained tried the CIDR format and there were no errors other than
the fact it didn't work.

My hosts.* files are supplemented with firewall rules that also place
fairly strict limits on what can connect.

As for sendmail, it and some other packages have built-in support for
tcpwrappers.



--


Cheers
John.

Join the "Linux Support by Small Businesses" list at
http://mail.computerdatasafe.com.au/mailman/listinfo/lssb
Copyright John Summerfield. Reproduction prohibited.

Reply via email to