On 8 Sep, 16:59, john toynbee wrote:
> If I write in /etc/hosts.allow:
>
> ALL: 127.
>
> and in /etc/hosts.deny:
>
> ALL: ALL
>
> then that works in Fedora 7, where is not installed xinetd by default?
>
> John

And what exactly is your question? What does this work for, or not
work for?

On Mon, 10 Sep 2007 01:55:41 -0700, Nico wrote:

> On 8 Sep, 16:59, john toynbee wrote:
>> If I write in /etc/hosts.allow:
>>
>> ALL: 127.
>>
>> and in /etc/hosts.deny:
>>
>> ALL: ALL
>>
>> then that works in Fedora 7, where is not installed xinetd by default?
>>
>> John
>
> And what exactly is your question? What does this work for, or not work
> for?



Here:
http://tldp.org/HOWTO/Security-HOWTO...-security.html
it is written:
"For example, a normal dial-up user can prevent outsiders from connecting
to his machine, yet still have the ability to retrieve mail, and make
network connections to the Internet. To do this, you might add the
following to your /etc/hosts.allow:
ALL: 127.
And of course /etc/hosts.deny would contain:
ALL: ALL
which will prevent external connections to your machine, yet still allow
you from the inside to connect to servers on the Internet.
Keep in mind that tcp_wrappers only protects services executed from
inetd, and a select few others."

But in Fedora 7 by default there is neither inetd nor xinetd.
Then, is changing /etc/hosts.allow and /etc/hosts.deny always useful?
Moreover, in

ALL: 127.

is the full stop a misprint or not?

John

On 10 Sep, 12:20, john toynbee wrote:
> On Mon, 10 Sep 2007 01:55:41 -0700, Nico wrote:
> > On 8 Sep, 16:59, john toynbee wrote:
> >> If I write in /etc/hosts.allow:
>
> >> ALL: 127.
>
> >> and in /etc/hosts.deny:
>
> >> ALL: ALL
>
> >> then that works in Fedora 7, where is not installed xinetd by default?
>
> >> John
>
> > And what exactly is your question? What does this work for, or not work
> > for?
>
> Here:http://tldp.org/HOWTO/Security-HOWTO...-security.html
> it is written:
> "For example, a normal dial-up user can prevent outsiders from connecting
> to his machine, yet still have the ability to retrieve mail, and make
> network connections to the Internet. To do this, you might add the
> following to your /etc/hosts.allow:
> ALL: 127.
> And of course /etc/hosts.deny would contain:
> ALL: ALL
> which will prevent external connections to your machine, yet still allow
> you from the inside to connect to servers on the Internet.
> Keep in mind that tcp_wrappers only protects services executed from
> inetd, and a select few others."
>
> But in Fedora 7 by default there is neither inetd nor xinetd.
> Then, is changing /etc/hosts.allow and /etc/hosts.deny always useful?
> Moreover, in
>
> ALL: 127.
>
> is the full stop a misprint or not?
>
> John- Hide quoted text -
>
> - Show quoted text -

OK, what that *REALLY* means is "permit all services from IP addresses
127.0.0.0/8." This means that localhost, which is typically on
127.0.0.1, will be allowed to connect to and start inetd or xinetd
services which use the relevant software.

The relevant software is called "tcp_wrappers". xinetd, which is what
Fedora 7 uses to start services like rsync and has been used for many
different services. Xinetd follows these rules in these files. Other
software may, with the right libraries and functions compiled in, but
it's very hard for the authors of tcp_wrappers to guess what may use
these libraries, so they don't try.

Does this make sense? What are you trying to run that you might need
hosts.deny or xinetd?

On Mon, 10 Sep 2007, in the Usenet newsgroup comp.os.linux.security, in article
, john toynbee wrote:

>Nico wrote:

>> And what exactly is your question? What does this work for, or not work
>> for?

>Here:
>http://tldp.org/HOWTO/Security-HOWTO...-security.html

-rw-rw-r-- 1 gferg ldp 155096 Jan 23 2004 Security-HOWTO

>it is written:
>"For example, a normal dial-up user can prevent outsiders from connecting
>to his machine, yet still have the ability to retrieve mail, and make
>network connections to the Internet.

As I showed in response to your post in 'comp.security.firewalls' a week
ago, use /bin/netstat -anptu' to see what is listening. FIX THAT FIRST.

>To do this, you might add the following to your /etc/hosts.allow:
> ALL: 127.
> And of course /etc/hosts.deny would contain:
> ALL: ALL
> which will prevent external connections to your machine, yet still allow
>you from the inside to connect to servers on the Internet.
> Keep in mind that tcp_wrappers only protects services executed from
>inetd, and a select few others."

So, if you are not running the server, there is nothing to protect.

>But in Fedora 7 by default there is neither inetd nor xinetd.

'inetd' was replaced in the Red Hat line in 7.0 - about seven years ago.
I don't use Fedora, so I don't know why xinetd is not included in FC7
(it is part of FC6 and earlier versions, and there is nothing in the
RELEASE-NOTES file).

>Then, is changing /etc/hosts.allow and /etc/hosts.deny always useful?

/bin/netstat -anptu

Is anything listening? Does what-ever application is listening know
about tcp_wrappers or libwrap?

>Moreover, in
>
>ALL: 127.
>
>is the full stop a misprint or not?

[compton ~]$ whatis hosts_access tcpd
hosts_access (3) - access control library
hosts_access (5) - format of host access control files
tcpd (8) - access control facility for internet services
[compton ~]$

man 5 hostaccess

o A string that ends with a `.' character. A host address is
matched if its first numeric fields match the given
string. For example, the pattern `131.155.' matches the
address of (almost) every host on the Eindhoven University
network (131.155.x.x).

Thus, '127.' matches 127.0.0.0 - 127.255.255.255.

Old guy

On Mon, 10 Sep 2007 11:40:08 -0700, Nico wrote:


> Does this make sense? What are you trying to run that you might need
> hosts.deny or xinetd?

Nothing, I want only "prevent outsiders from
connecting" as written in "Linux Security HOWTO".

My problem is that in Fedora 7 by default tcp_wrappers is installed and
xinetd not.
I can install xinetd, of course, by Synaptic.
All that because in "Linux Security HOWTO" is written:
"Keep in mind that tcp_wrappers only protects services executed from
inetd, and a select few others."


John

On Mon, 10 Sep 2007 15:04:47 -0500, Moe Trin wrote:


>
>>Then, is changing /etc/hosts.allow and /etc/hosts.deny always useful?
>
> /bin/netstat -anptu


I now use it


> Is anything listening? Does what-ever application is listening know
> about tcp_wrappers or libwrap?
>


No



>>is the full stop a misprint or not?
>
> [compton ~]$ whatis hosts_access tcpd hosts_access (3) - access
> control library hosts_access (5) - format of host access
> control files tcpd (8) - access control facility for
> internet services [compton ~]$
>
> man 5 hostaccess
>
> o A string that ends with a `.' character. A host address is
> matched if its first numeric fields match the given
> string. For example, the pattern `131.155.' matches the
> address of (almost) every host on the Eindhoven University
> network (131.155.x.x).
>
> Thus, '127.' matches 127.0.0.0 - 127.255.255.255.


That is very interesting, I thank you, also for your sentence "Firewalls
are always software", it changed completely my point of view about
firewalls.

I did not understand TCP Wrappers. I read this

http://itso.iu.edu/TCP_Wrappers

and now understand.
Anyway thank you.


John