On Sun, 7 Jul 2002, Jack Bowling wrote:
> ** Reply to message from Antony Stone <[EMAIL PROTECTED]> on Mon, 08 Jul >2002 00:04:34 +0100 > > > > On Sunday 07 July 2002 11:54 pm, Dennis Cardinale wrote: > > > > > When running a netfilter firewall, is there any reason to continue using > > > the hosts.deny and hosts.allow files, or is this just superfluous? > > > > hosts.allow can still be useful to specify a command to run when a connection > > comes in (eg to provide some special logging ?), but these files don't add > > any security to a decently configured netfilter setup. > > Beg to differ. /etc/hosts.deny allows access tuning of services that > are set wide open on the firewall, ssh being a prime example. setting up a world-allow connection to the openssh port is the problem. It's shouldn't be done at all. One should use the iptables INPUT rules to filter ssh connections per IP, which is equivalent to the functionality of hosts.[allow|deny] Not only that, with iptables INPUT, the proper response will be given (connection refused for iptables, vs. connection accepted... connection closed for tcp_wrappers) tcp_wrappers is old technology and should be deprecated.
