Please set your mail agent to wrap lines at 72 characters. On Sat, Aug 26, 2000 at 08:47:27PM -0500, William Jensen wrote: > So far I have the following setup: > > hosts.deny: > > ALL:ALL > > hosts.allow: > > ALL: my_work.domain > > My intention is to prevent everyone from the 'outside' from reaching > my box. I do realize that anyone in my_work.domain would also be able > to get at it. > > It is my understanding that this will prevent anyone not in > my_work.domain from getting to my box with telnet, ftp, etc. Is this > correct? Is this secure? If this is indeed correct could someone > tell me why I would need/want a firewall and/or what benefit it would > provide me over what I already have setup? More specifically how does > a firewall differ from using the hosts.allow/hosts.deny files as I > described above.
The /etc/hosts.(allow|deny) files control inetd, which operates on
daemones compiled with tcpwrappers support. Configuring your
tcpwrappers files properly is a necessary but not sufficient step for
system security.
What inetd does is to allow or deny access, at the daemon level, to
specific protocols. Only those protocols which are controlled by (or
otherwise respect /etc/hosts.*) will be affected by these settings.
What you *don't* control is outgoing traffic, connections to
uncontrolled ports or services, or general snooping of your system.
Firewalling (port-level control at the kernel/device interface based on
local and remote addresses) provides you a much finer level of control
over what data are allowed in or out. Because the control happens at
the kernel level itself, you aren't relying on any software
interpretation (outside the kernel itself) of rulsets -- you've got a
single point of contact for settin rules. You can block ports which
aren't, technically, service ports (eg: 6000 - 6064 => X Window System),
ports associated with trojan services (eg: 31137 => Back Orifice
(the default port, though this can be easily changed)). You also
control both inbound *and* outbound traffice. You can control response
to ICMP (Internet Control Messaging Protocol) packets, allowing you to
render your system non-pingable. By introducing masquerading (aka NAT),
you can provide services for many nodes behind a single accessible
internet address.
Strongly recommend
Wes Sonnenreich, Tom Yates, _Building Linux and OpenBSD Firewalls_,
John Wiley & Sons, © 2000, 384 pages. ISBN: 0-47135-366-3. US$40
...as a reference on security issues.
--
Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself
Evangelist, Opensales, Inc. http://www.opensales.org
What part of "Gestalt" don't you understand? Debian GNU/Linux rocks!
http://gestalt-system.sourceforge.net/ K5: http://www.kuro5hin.org
GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0
pgp6YsFXkdFxE.pgp
Description: PGP signature
