hosts.allow not blocking access

P

ph0enix

I followed this manual to configure TCP wrappers/host.allow:
http://www.freebsd.org/doc/handbook/tcpwrappers.html

inetd is running with the -Ww options.

I want to block all access from a specific IP address. The first entry in my hosts.allow is:

ALL : 192.168.1.44 : deny

I'm able to connect to the SMTP and SSH ports from 192.168.1.44 even after restarting inetd. What am I doing wrong?

Thanks! :D
 
Both services are probably not started from inetd (almost nothing whatsoever uses inetd nowadays), so tcpwrapping will not have any effect. Use one of the built-in firewalls, and leave inetd alone (i.e. off) -- it's really deprecated and it may vanish altogether (if it were up to me).

Modern net services like Sendmail, Postfix, sshd, Apache, imapd, pop3d, etc. etc are all started from /etc/rc.conf nowadays, and they are daemons, instead of instances being launched (and torn down) centrally by inetd.
 
Thanks guys! Is there anything wrong with using ipf instead of pf or ipfw? I already have ipf set-up with sshguard on that system.
 
I think that ipf, of the three, is the least actively maintained. Then again, it's almost entirely interchangeable with pf, so you have a way out, and sshguard works with pf just as well.
 
Interesting tidbit: After reading your replies, I decided to disable hosts.allow so I stopped inetd (disabled it in rc.conf as well) and removed the changes I had made to the file - or so I thought. I forgot to uncomment the following line:

Code: 
ALL : ALL : allow

...so the first actual command was:

Code: 
ALL : PARANOID : RFC931 20 : deny

Then I realized that the system wouldn't let me connect via SSH anymore which means that hosts.allow actually works without inetd and it blocks SSH even if it's not defined in inetd.conf. I rebooted the machine and still couldn't connect to the SSH port. It kept giving me:

Code: 
You are not welcome to use sshd from...

When I realized my mistake, I uncommented the the line and everything was peachy once again. What gives?
 
Some services do, some don't. It has to be specifically added to the code. But since it's a bit of a relic most newer services don't support it.
 
ph0enix said:
I followed this manual to configure TCP wrappers/host.allow:
http://www.freebsd.org/doc/handbook/tcpwrappers.html

Code: 
ALL : 192.168.1.44 : deny

I'm able to connect to the SMTP and SSH ports from 192.168.1.44 even after restarting inetd. What am I doing wrong?
Click to expand...

TCP wrappers will provide access control for any daemon that has support compiled in.

Code: 
%ldd /usr/sbin/sshd | grep libwrap
	libwrap.so.6 => /usr/lib/libwrap.so.6 (0x2812a000)

%ldd /usr/sbin/sendmail | grep libwrap

As you noted later in the thread, you have some rule problems if it isn't working for sshd(8). But it's never going to work for sendmail(8), because it's not supported.

NB: TCP wrappers behave differently than e.g. packet filtering would. A TCP handshake is completed before the session is rejected.
 
You must log in or register to reply here.
Back
Top